Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
August 19, 2021 - TuxCare expert team
A growing threat landscape rapidly made the CISO role one of the most influential C-level positions. It’s no surprise that the remit of CISOs keeps expanding, going significantly past the original cybersecurity goals of protecting infrastructure and data.
CISOs are getting much more deeply involved in organizations – beyond simple technology security matters. That includes an increasing focus on risk management, not just from a threat perspective – but also from an operational and business logic perspective.
In this article, we explain what risk management is in the context of the CISO role, why risk management has become so critical – and what CISOs can do to mitigate information security, operational and business risks in their organization.
CISO is short for Chief Information Security Officer, but with roles such as the Chief Information Officer (CIO) and Chief Security Officer (CSO) also in the mix, what exactly does the CISO role involve? And what do we mean when we talk about risk management? Let’s take a look.
CISOs are responsible for information and data security across an organization. When you think about the origins of the role, it meant in practice that CISOs needed to guard against cybersecurity threats – intrusions, ransomware, and so forth.
Typically, a CISO would lead a team of cybersecurity experts who focus on practical aspects including perimeter defense, vulnerability management, and the like. The CISO would be responsible for planning threat prevention and for keeping an eye on the overall cybersecurity environment, with the goal to protect infrastructure and information assets from internal and external threats.
Where does the CISO stand compared with CIOs and CSOs? Thinking about C-level technology roles, the CIO is the most senior. Chief information officers almost always report directly to the CEO and are responsible for overall IT strategy – including IT investment, digital transformation, and so on.
In turn, in large enterprises, the CISO would report to the CIO – though in smaller organizations the CISO might also report directly to the CEO.
Where does the CSO fit in? It depends on the organization. CISO and CSO positions could be somewhat interchangeable, but you could think of a CSO as a C-level staffer responsible for organizational security in a more tangible or physical sense – and less so in information security respect. Large organizations will have both a CSO and CISO, in distinct roles.
What does a CISO do on an everyday basis? Even from the outset, the CISO role was relatively complex – as you’d expect from a C-level role. One could divide CISO tasks into four key areas:
Though many of the above points touch on risk management, it does not make for a comprehensive risk management strategy, so let’s take a closer look at what risk management is all about.
Every organization faces adverse events. With an adverse event, we mean the opportunity for something to go wrong, harming operations or even the existence of the organization. Back in the day, it was things like droughts, storms or physical theft that businesses worried about.
Today’s companies face a different group of threats that are information technology related – cybercrime, infrastructure breakdown, data loss etc. Each of these adverse events has a risk of occurring. With risk, there is an associated probability of the event happening – and an associated cost too.
Risk management then is the process of identifying, assessing, and mitigating against these adverse events. The process of risk management looks roughly as follows:
This is just an introduction to the typical steps an organization would take on the risk management road, and CISOs of course have specific prerogatives when it comes to risk management.
Now that we have a clear view of the role of CISOs and what risk management entails we can take a closer look at why risk management is becoming a key part of the CISO role.
With almost every organization now depending on technology solutions for day-to-day operations, and with technology integrated ever more deeply into business processes, the distinction between technology and the rest of the business is becoming very thin.
To effectively manage the threats to technology provisioning, CISOs can no longer stick to tech alone – a CISO must focus on business aspects because information technology security problems are inherently business problems too. And vice versa.
In doing so, CISO needs to look beyond traditional IT security tasks – protecting, responding, and so forth, and instead focus on risk assessment – finding the adverse events, both business-driven and IT-driven, that pose a threat to the organization.
As we suggested earlier risk management is increasingly important to CISOs because of how business processes directly tie into IT, which in turn affects IT risks. In other words, the risks of IT failure are not just related to threats – internal business processes can also create risks.
Where CISOs focus purely on technical and external threats without taking a risk management approach that takes into account the wider business context it means that CISOs are limited in terms of how much protection they can really offer to the organization.
True risk management that can deeply compensate for risks require very intrinsic knowledge of business operations, and inherent dependencies. In other words, the CISO must understand an organization, how decisions are made – and what decisions are made in order to design a security blueprint. A risk management approach is central to that process.
Taking a business-first, risk-based approach also matters because security and operational threats can hide – sometimes in plain sight. Today’s CISOs know that security risks are not just of the cyber threat nature – the CISO’s task is to go looking beyond the obvious targets e.g. data centers, IoT and edge computing.
Instead, security risks can hide within business processes. By taking a risk management approach, CISOs are better equipped to find the risks that are less obvious – and the risks that are within more complicated business processes.
CISOs also need to look at risk as a risk of making an error. In other words, what happens when staff make errors in their day-to-day duties – and what happens if something unexpected goes wrong in technology delivery?
As a final point, it’s worth looking into compliance risk. From an information technology viewpoint, compliance nowadays carries an enormous amount of weight. Standards including ISO 27001, HIPAA, and NIST 800-53 can lead to heavy fines where companies fail to meet minimum compliance standards. Loss of compliance can also lead to loss of clients, or difficulty gaining new business.
CISOs need to factor compliance into their approach to risk management. In other words, what is the risk of breaching compliance standards? And, what are the consequences of not meeting the minimum risk management standards contained within these compliance standards?
The CISO risk management process overlaps with traditional CISO tasks described above, but by taking a risk management perspective CISO can build in protection for a far wider range of adverse events.
When looking at information security threats, CISOs need to look beyond protection and fixes – instead, a risk management approach demands that CISOs assess what’s most at risk and what’s most costly to fix. That comes into play particularly given the increasing pressure on information security teams – with limited resources, security teams cannot mitigate all threats.
However, the CISOs role is also to take into account the wider organization – and the underlying business processes. Some of the most dangerous threats may lie in these processes going wrong – and some apparently less serious threats can have significant impacts on processes. It is up to the CISO to identify where these real, significant risks lie.
Organizations increasingly depend on third-party vendors for data collection, transfer, and storage. Just using a cloud vendor, as almost every organization does nowadays, exposes a business to risks.
While CISOs will do their best to protect the technology infrastructure under their management against threats, CISOs must be equally vigilant when it comes to vendors. Here, too, CISOs should take a risk management approach – vendors require monitoring, and CISOs need to assess vendor security controls to ensure that your organization’s infrastructure and data is not at risk.
It should be clear by now that the security and risk management remit of a CISO does not exist in a technology bubble isolated from the rest of the business. Risk management will already be integrated with many business functions – large organizations will devote significant resources to risk management across the organization.
CISOs should work closely with other business divisions to integrate risk management – pushing knowledge of technology risks into the broader risk management picture, while drawing on the organization’s overall risk assessment to determine how that impacts IT risk.
The CISO should push the organization towards risk reduction best practices, specifically IT infrastructure, for example through the implementation of strict security patch deployment mechanisms, preferably automated, proper vendor support options for acquired systems to ensure systems are always covered with new releases of firmware, drivers and technical assistance, reliable and regular security audits performed either by in-house teams if they have the know-how or reputable outside contractors to provide a clear view of the current security panorama – among many other things. Some companies will not have the required resources to properly achieve all these goals, but there are services available that provide them – like TuxCare – to help the CISO perform its role more effectively.
Any IT risk that is known and allowed to stand, like an unpatched system or a server with a firewall misconfiguration, are directly translatable into business risk – data breach risk, non-compliance risk, reputational risk, financial risk, intellectual property theft risk or operational risk – and all, or in fact any, of these will cause great harm to the business.
A key part of the risk management process is communication and consultation – arguably, important details about risks will only emerge once engaging in wider discussions. In other words, truly assessing risks is a matter of gaining multiple perspectives.
For CISOs, this means communication down the chain of command – closely collaborating with staff members on the ground to fish out hidden risks. It also means clear communication with the C-suite: making that IT risks are made known and fully understood.
Risk management can also lead to a conflict of interest. For example, CIOs purchase and manage technology assets, which can bring a conflict between costs and replacement of older assets for example, vs. putting in place new, secure, risk-free assets.
Segregation of duties is key therefore – and CISOs should stand firm in their duties as risk managers to ensure that the technology that’s deployed supports risk management within your organization. Similarly, when it comes to business processes, efficiency can clash with risk aversion. Here, too, CISOs should ensure that IT security is never compromised by business efficiency.
The CISO role is not a narrow role. Yes, CISOs should look after cybersecurity – protecting infrastructure, applications, and data against internal and external threats. But doing so in an effective way implies a risk management approach.
It is risk management that is overarching – CISOs need a broad, deep view of risks across the business. This holistic view enables CISOs to effectively manage information security risks across the business.
CISOs must manage not just IT risks – but understand and influence risks right across the business, including the risks imposed by decisions taken by C-level executives.
Finally, CISOs need to accept that not every risk can be completely erased or avoided. Mitigation is important wherever possible, but in a large organization, some level of risk needs to be accepted and communicated to peers so that the organization can accommodate it.
Learn About Live Patching with TuxCare
End-of-life software is just a fact of our fast-paced technology...
Look, everyone knows that it’s a tough act. Thousands of...
The public sector, including state and federal agencies, are at...
If your organization deploys IoT solutions, you know that development...
We continue to look at the code issues that cause...
Catastrophic risks such as natural disasters and indeed cyberattacks require...