A growing threat landscape rapidly made the CISO role one of the most influential C-level positions. It’s no surprise that the remit of CISOs keeps expanding, going significantly past the original cybersecurity goals of protecting infrastructure and data.
CISOs are getting much more deeply involved in organizations – beyond simple technology security matters. That includes an increasing focus on risk management, not just from a threat perspective – but also from an operational and business logic perspective.
In this article, we explain what risk management is in the context of the CISO role, why risk management has become so critical – and what CISOs can do to mitigate information security, operational and business risks in their organization.
- Introduction to CISOs and risk management
- The story behind CISOs and risk management
- How CISOs can reduce risk
Introduction to CISOs and risk management
CISO is short for Chief Information Security Officer, but with roles such as the Chief Information Officer (CIO) and Chief Security Officer (CSO) also in the mix, what exactly does the CISO role involve? And what do we mean when we talk about risk management? Let’s take a look.
What is the purpose of a CISO?
CISOs are responsible for information and data security across an organization. When you think about the origins of the role, it meant in practice that CISOs needed to guard against cybersecurity threats – intrusions, ransomware, and so forth.
Typically, a CISO would lead a team of cybersecurity experts who focus on practical aspects including perimeter defense, vulnerability management, and the like. The CISO would be responsible for planning threat prevention and for keeping an eye on the overall cybersecurity environment, with the goal to protect infrastructure and information assets from internal and external threats.
CISO vs. CIO and CSO
Where does the CISO stand compared with CIOs and CSOs? Thinking about C-level technology roles, the CIO is the most senior. Chief information officers almost always report directly to the CEO and are responsible for overall IT strategy – including IT investment, digital transformation, and so on.
In turn, in large enterprises, the CISO would report to the CIO – though in smaller organizations the CISO might also report directly to the CEO.
Where does the CSO fit in? It depends on the organization. CISO and CSO positions could be somewhat interchangeable, but you could think of a CSO as a C-level staffer responsible for organizational security in a more tangible or physical sense – and less so in information security respect. Large organizations will have both a CSO and CISO, in distinct roles.
The CISO role in practice
What does a CISO do on an everyday basis? Even from the outset, the CISO role was relatively complex – as you’d expect from a C-level role. One could divide CISO tasks into four key areas:
- Map systems, determine critical elements. Understanding what’s at risk is a key first step for CISOs, you can’t protect what you don’t know about. As part of this process, CISOs will determine which infrastructure, systems, and data is the most critical – and where loss of access can lead to the most damage.
- Protecting against threats. At the core, CISOs are there to protect organizations against threats – both internal and external. Using a mix of hardware, software and policies, CISOs guard against these threats – limiting the ability of cybercriminals to enter and abuse systems, or internal employees to cause havoc.
- Monitoring. Guarding against threats helps, but CISOs also need early warning systems – ensuring that security teams can rapidly respond to any evolving threats. This includes continuous system monitoring with early notification.
- Recovery and continuity. Protection helps but even for the most competent of CISOs there remains a risk of a successful breach. Responsiveness after a breach is critical to ensure continuity – including strategies to recover critical systems as soon as possible.
Though many of the above points touch on risk management, it does not make for a comprehensive risk management strategy, so let’s take a closer look at what risk management is all about.
Understanding risk management
Every organization faces adverse events. With an adverse event, we mean the opportunity for something to go wrong, harming operations or even the existence of the organization. Back in the day, it was things like droughts, storms or physical theft that businesses worried about.
Today’s companies face a different group of threats that are information technology related – cybercrime, infrastructure breakdown, data loss etc. Each of these adverse events has a risk of occurring. With risk, there is an associated probability of the event happening – and an associated cost too.
Risk management then is the process of identifying, assessing, and mitigating against these adverse events. The process of risk management looks roughly as follows:
- Risk identification and analysis. Your organization identifies potential adverse events that can negatively affect assets, processes, outcomes. Next, you determine the potential costs associated with the risk – whether these would be minor and easily absorbed, or indeed catastrophic for your organization.
- Risk mitigation. Based on the outcome of the previous step, you’ll know whether a risk is acceptable – or whether you must put in place specific controls to mitigate the risk to avert a potentially disastrous outcome. Mitigation is not just about prevention – it also includes contingency plans to ensure that business operations continue should the worst happen.
- Risk monitoring. As the last step, effective risk management is also ongoing monitoring to spot changes in the risk landscape. Risk monitoring also helps your organization to spot an adverse event that’s not occurred – but that is developing.
This is just an introduction to the typical steps an organization would take on the risk management road, and CISOs of course have specific prerogatives when it comes to risk management.
The story behind CISOs and risk management
Now that we have a clear view of the role of CISOs and what risk management entails we can take a closer look at why risk management is becoming a key part of the CISO role.
Why is risk management so important to CISOs?
With almost every organization now depending on technology solutions for day-to-day operations, and with technology integrated ever more deeply into business processes, the distinction between technology and the rest of the business is becoming very thin.
To effectively manage the threats to technology provisioning, CISOs can no longer stick to tech alone – a CISO must focus on business aspects because information technology security problems are inherently business problems too. And vice versa.
In doing so, CISO needs to look beyond traditional IT security tasks – protecting, responding, and so forth, and instead focus on risk assessment – finding the adverse events, both business-driven and IT-driven, that pose a threat to the organization.
Business processes tie into IT
As we suggested earlier risk management is increasingly important to CISOs because of how business processes directly tie into IT, which in turn affects IT risks. In other words, the risks of IT failure are not just related to threats – internal business processes can also create risks.
Where CISOs focus purely on technical and external threats without taking a risk management approach that takes into account the wider business context it means that CISOs are limited in terms of how much protection they can really offer to the organization.
True risk management that can deeply compensate for risks require very intrinsic knowledge of business operations, and inherent dependencies. In other words, the CISO must understand an organization, how decisions are made – and what decisions are made in order to design a security blueprint. A risk management approach is central to that process.
Threats may be hiding
Taking a business-first, risk-based approach also matters because security and operational threats can hide – sometimes in plain sight. Today’s CISOs know that security risks are not just of the cyber threat nature – the CISO’s task is to go looking beyond the obvious targets e.g. data centers, IoT and edge computing.
Instead, security risks can hide within business processes. By taking a risk management approach, CISOs are better equipped to find the risks that are less obvious – and the risks that are within more complicated business processes.
CISOs also need to look at risk as a risk of making an error. In other words, what happens when staff make errors in their day-to-day duties – and what happens if something unexpected goes wrong in technology delivery?
The regulatory regime
As a final point, it’s worth looking into compliance risk. From an information technology viewpoint, compliance nowadays carries an enormous amount of weight. Standards including ISO 27001, HIPAA, and NIST 800-53 can lead to heavy fines where companies fail to meet minimum compliance standards. Loss of compliance can also lead to loss of clients, or difficulty gaining new business.
CISOs need to factor compliance into their approach to risk management. In other words, what is the risk of breaching compliance standards? And, what are the consequences of not meeting the minimum risk management standards contained within these compliance standards?
How CISOs can reduce risk
The CISO risk management process overlaps with traditional CISO tasks described above, but by taking a risk management perspective CISO can build in protection for a far wider range of adverse events.
When looking at information security threats, CISOs need to look beyond protection and fixes – instead, a risk management approach demands that CISOs assess what’s most at risk and what’s most costly to fix. That comes into play particularly given the increasing pressure on information security teams – with limited resources, security teams cannot mitigate all threats.
However, the CISOs role is also to take into account the wider organization – and the underlying business processes. Some of the most dangerous threats may lie in these processes going wrong – and some apparently less serious threats can have significant impacts on processes. It is up to the CISO to identify where these real, significant risks lie.
Vendor and supplier risk also matters
Organizations increasingly depend on third-party vendors for data collection, transfer, and storage. Just using a cloud vendor, as almost every organization does nowadays, exposes a business to risks.
While CISOs will do their best to protect the technology infrastructure under their management against threats, CISOs must be equally vigilant when it comes to vendors. Here, too, CISOs should take a risk management approach – vendors require monitoring, and CISOs need to assess vendor security controls to ensure that your organization’s infrastructure and data is not at risk.
Link IT risk management to business risk management
It should be clear by now that the security and risk management remit of a CISO does not exist in a technology bubble isolated from the rest of the business. Risk management will already be integrated with many business functions – large organizations will devote significant resources to risk management across the organization.
CISOs should work closely with other business divisions to integrate risk management – pushing knowledge of technology risks into the broader risk management picture, while drawing on the organization’s overall risk assessment to determine how that impacts IT risk.
The CISO should push the organization towards risk reduction best practices, specifically IT infrastructure, for example through the implementation of strict security patch deployment mechanisms, preferably automated, proper vendor support options for acquired systems to ensure systems are always covered with new releases of firmware, drivers and technical assistance, reliable and regular security audits performed either by in-house teams if they have the know-how or reputable outside contractors to provide a clear view of the current security panorama – among many other things. Some companies will not have the required resources to properly achieve all these goals, but there are services available that provide them – like TuxCare – to help the CISO perform its role more effectively.
Any IT risk that is known and allowed to stand, like an unpatched system or a server with a firewall misconfiguration, are directly translatable into business risk – data breach risk, non-compliance risk, reputational risk, financial risk, intellectual property theft risk or operational risk – and all, or in fact any, of these will cause great harm to the business.
A key part of the risk management process is communication and consultation – arguably, important details about risks will only emerge once engaging in wider discussions. In other words, truly assessing risks is a matter of gaining multiple perspectives.
For CISOs, this means communication down the chain of command – closely collaborating with staff members on the ground to fish out hidden risks. It also means clear communication with the C-suite: making that IT risks are made known and fully understood.
Manage the conflict of interest
Risk management can also lead to a conflict of interest. For example, CIOs purchase and manage technology assets, which can bring a conflict between costs and replacement of older assets for example, vs. putting in place new, secure, risk-free assets.
Segregation of duties is key therefore – and CISOs should stand firm in their duties as risk managers to ensure that the technology that’s deployed supports risk management within your organization. Similarly, when it comes to business processes, efficiency can clash with risk aversion. Here, too, CISOs should ensure that IT security is never compromised by business efficiency.
The CISO role is not a narrow role. Yes, CISOs should look after cybersecurity – protecting infrastructure, applications, and data against internal and external threats. But doing so in an effective way implies a risk management approach.
It is risk management that is overarching – CISOs need a broad, deep view of risks across the business. This holistic view enables CISOs to effectively manage information security risks across the business.
CISOs must manage not just IT risks – but understand and influence risks right across the business, including the risks imposed by decisions taken by C-level executives.
Finally, CISOs need to accept that not every risk can be completely erased or avoided. Mitigation is important wherever possible, but in a large organization, some level of risk needs to be accepted and communicated to peers so that the organization can accommodate it.