How CISOs can work with the C-suite to define the cybersecurity risk level
Defining the cybersecurity risk level for any organization should be a collaborative effort that balances the need for risk mitigation with fiscal responsibility. Although the CISO is primarily focused on cybersecurity, the ultimate goal is to run a successful business. As a result, the CISCO will be reliant on the cooperation of their C-Suite colleagues to strike the right balance between operational business needs and security to derive a successful outcome.
A truly effective CISO understands that defining the cybersecurity risk level for both current and desired levels requires a holistic view of the enterprise with buy-in and support from each functional team. The collaboration process should be similar to large-scale enterprise risk management programs requiring input from internal teams to determine a rating for the enterprise as a whole.
No single team or individual could, or should, define a cybersecurity risk level in a silo. Whether measuring the current-state or defining the desired, future state, the outcome will likely impact the entire organization and is therefore a shared responsibility.
Each functional area of a company will be tasked with reducing risk within their perceived circle of influence. For example, the CFO will be focused on financial risk and the profitability of certain investments, with the CIO focused on technology risks that could lead to outages. Ultimately, the changes or future initiatives requested by these groups to limit their risk all come with a price tag.
When all departments are competing for a finite amount of resources and budget, it is extremely important that the requestor be able to easily articulate the risk and explain the potential impacts to the enterprise. Without an understanding of the risk and potential impact if that risk were to be realized, it is next to impossible to define an acceptable cybersecurity risk tolerance and obtain the support and funding needed to maintain that level of tolerance. In short, there are two parts to managing the cybersecurity risk level:
1. Define the threats, current risks and desired acceptable risk tolerance for the organization.
2. Obtain funding to reach and maintain the desired risk tolerance going forward.
However, unlike other members of the C-Suite, the success of a security program is more difficult to measure. Investment in more servers to accommodate more customer traffic can be justified easily with evidence of fewer outages and better performance. Investment in a new intrusion prevention system or a more effective endpoint protection solution cannot be justified in terms of financial savings or improved customer experience.
You cannot quantify the ROI when it may be unclear if the solutions prevented an attack, or the company was simply never targeted. The CISO will therefore need to ensure the threats, risks and potential opportunity costs are clear and easily understood by their C-Suite counterparts and not focused entirely on traditional ROI measures.
There are numerous methodologies and frameworks out there to help organizations measure their security posture, or their cybersecurity risk level. However, any of the industry-leading frameworks such as NIST CSF or C2M2 for example, all require input from departments outside of the security team.
Regardless of whether the organization is required to meet specific regulatory or industry compliance requirements, or is internally motivated to protect sensitive data, systems and assets, there are multiple ways to achieve the same result, each with its own price tag. The CISO can work in conjunction with other executives to find synergies and opportunities for combined efficiencies that benefit everyone. For instance, many CFO’s are focused on implementing technology to generate greater reporting detail and accuracy while the CISO is focused on limiting exposure to sensitive data.
Both objectives require the organization to know where their data is located and drive a single source of truth. Combined, the projects can avoid the duplicated task of data discovery requiring less effort and driving cost efficiency. Only through collaboration with their C-Suite partners can the CISO identify these synergies.
Each organization’s cybersecurity strategy needs to be holistic. The CISO plays a pivotal role in driving the security of the enterprise, but it is only with a combined commitment and support from all C-Suite partners can the organization truly reach a risk tolerance that all parties are comfortable with.