Information Security Risk Management – Achieving better outcomes
Information security managers and CISOs often report that all risks are bad and need mitigation strategies. When communicating these strategies to business leaders, they present risks that demonstrate a deep understanding of the technical challenges and adversaries the business faces. Yet, oftentimes they overlook the fact that the person best placed to understand and choose whether to accept or manage a risk is the organisation’s CEO or board.
Let’s explore why CEO and board empathy is one of the most important attributes a CISO or security manager can have when explaining and presenting a strategy to manage information security risks.
Strategic Risk and its Business Context
CEOs make risk-related decisions every day. Deciding whether they should enter a new market, acquire a competitor or invest in a new product, all require the CEO to understand the risks and weigh them up against potential rewards.
For this reason, security leaders need to focus on reporting the business context of risks to the CEO and board, since strategic risk management is the lifeblood of business strategy. However, cyber and information security risks are often presented to the CEO as technical or compliance risks, where even the realisation of the risk into an issue has little strategic impact on the material future of the business.
Most business owners know that having a low risk appetite often means low returns, which is why the attitude of CISOs and security managers has the effect of off siding them with the board. In fact, history has shown that where one viewpoint might be that something is too risky for the business and should be shut down, an opposing strategic viewpoint is that it should be embraced and made the new norm. Losing the strategic context is easy when you are faced with an overabundance of operational risk, but it’s this tactical focus that makes CEOs view their security leadership in an unfavourable light.
Take the concept of Shadow IT as an example. This article in Wired shows that, as the headline states, “A Little Rebellion is a Good Thing: The Rise of Shadow IT.” Within the last five years, agile research projects have been springing up everywhere in businesses, with teams often looking to cloud service providers to deliver capability that the internal corporate IT team would or could not provide. Then when security got involved, concerns were escalated to the board, with countless presentations showing critical security risks citing loss of control, greater attack surface and blatant disregard of corporate policy as reasons to shut things down.
Yet if the business embraced the desire of its most forward-thinking team members to innovate and experiment, an approach that allows the business to mitigate these risks while providing the capability could be adopted. In that way, the organisations that learned from shadow IT and managed these risks in a positive way created value from the initiative taken in the business.
Clearly, without proper risk management, shadow IT has the potential to introduce catastrophic failures, but the risks highlight that the business lacked some fundamental flexibility in its approach to IT services provision. So, the cry for help was noted and the risks were reframed as opportunities, and security charged with ensuring cloud services could be leveraged with a security framework in place to control access, monitor usage, reduce the attack surface and ensure technical security controls were pervasive both on premise and in the cloud. This is how real strategic security risk management should work.
Cyber Security is a Business Enabler
Security that is too focused on preventing risks blocks the things a business is trying to do. This doesn’t help the business succeed since there is often a good reason they are trying to introduce change. When the security function in the business acquires this negative reputation, colleagues avoid engaging them, which results in even riskier behaviour.
CISOs must encourage different ways of managing risks, such as protective monitoring solutions that improve the organisation’s approach to monitoring systems that are of a higher potential risk, with a focus on detecting anomalous behaviour or misuse; this helps the business meet its strategic objectives while simultaneously keeping them safe. Rather than saying no every time a change is proposed, say, “Absolutely yes, but we need to include the following capabilities in the solution to allow us to monitor those services from our security operations centre.”
The security team can then introduce the requirements relating to people, processes and technology into the architecture, design and productionising of that service to make it enterprise fit. This is security working as a strategic enabler to the business, where the rewards for risk taking are realised through collaboration across the technical, business and security teams.
Risk Management Collaboration
The goal of the CISO is to transform the way the business views cyber and information security risk, shifting the organisation’s collective mindset from risk prevention to risk management, offering support to the business through new ways of helping nurture innovation. Cyber security must be developed as a business enabler that allows the business to act rapidly, where capabilities like protective monitoring and real-time threat detection are used to scrutinise what’s going on within a system rather than blocking access.
If CISOs can change the security conversation to being supportive and enabling, then security will gain acceptance at board level and will stop being seen as nothing but an overhead that the business must tolerate.