Don’t leave cyber security to the CISO

Home > Risk > Don’t leave cyber security to the CISO

Don’t leave cyber security to the CISO

March 19, 2021 Leave a comment Go to comments

In the last month, I have shared four posts about cyber security, with special attention to the board:

I was planning to move to a different topic, but then two more pieces hit my screen (and came close to damaging it):

These are both pieces that rely on and share the perspective of practitioners. They also demonstrate an unhealthy failure to understand what directors need (recognizing that most don’t know what they need – they are poorly advised by consultants, etc.) – actionable business-focused information.

Sadly, I find little of value to quote from the first piece. While it seems to recognize that cyber should not be left to the CISO to handle by him or herself, it doesn’t reflect any understanding that, as I explained in my earlier posts, money and time spent on cyber is at the cost of spending those limited resources on something else: another source of risk or an opportunity.

Executives and the board need to be able to decide where to spend time and money based on risk and reward and how to best achieve objectives.

The second piece has at least one useful sentence:

As fiduciaries of all their company’s assets, Board members must increasingly look to their business judgements in making tactical and longer-term decisions regarding cybersecurity.

However, the author goes astray when he resorts to the ‘best practices’ idea for determining what the right level of cyber security is for the organization.

No, the level of investment in cyber security should be a business decision, based on:

How a breach might affect the organization, its potential effect on the achievement of enterprise objectives
Whether that is acceptable or not, for example whether the cost is more than the reduction in risk
Where else the resources could be deployed
What is best for the organization as a whole

Fortunately, there are practitioners and thought leaders that have the right idea.

One of those is Hans Læssøe. I recommend his books and his latest post, Effective Risk Reporting. He says:

An important element of risk management is related to risk reporting i.e., how do you convey the results of the risk management process to management.

Starting with the end of the sentence “to management” means the reporting must be defined in such a way and with such content that management finds this relevant and valuable. Now here is the first hurdle. Management is working with business performance rather than managing risks. As such, management does not, and should not be specially concerned about risks.

Executives know very well that there are risks and opportunities involved in whatever you do, and that every choice or decision they make becomes a choice between sets of risks and opportunities. This however does make them take their eyes off the ball – performance.

To be relevant and valuable to management, we – the risk profession, have to adjust our management reporting to be performance centric rather than risk centric.

Hans is very much aligned with me and my risk management books on this.

He covers, for example, the need to recognize that the level of ‘risk’ is not a point but a range. He also suggests a graphic for reporting the likelihood of achieving enterprise objectives (which he refers to as targets).

In order to assess the potential effect of a breach or other source of risk and then make the informed and intelligent business decision that is necessary for success, requires a constructive partnership between the CISO (and his or her technical insights) and the business.

Leaving this to the CISO is gambling.

Allowing the discussion to be in the language of technobabble (such as the “risk to information assets”) will not lead to the right business decision.

The discussion should be business-oriented, performance-oriented, and (if possible) mutually agreed on by the CISO and business leaders. On occasion, that will mean taking more cyber risk than the CISO believes is right – because it is right for the business to take the risk.

Once the business risk is known, then the technical frameworks, perhaps including FAIR, might be used to determine where within cyber to invest.

I leave you with this thought of Hans on his LinkedIn profile:

Risk management can do more than make you safe when the boat is rocking. Intelligent risk taking makes you able and ready to be the one rocking the boat.

I welcome your thoughts.