What is the best background for your organization’s top security leader?
In today’s cybersecurity landscape, it simply doesn’t matter. What matters is how a modern CISO approaches the role and amplifies its uniqueness from other C-suite positions.
In fact, I would offer that the modern CISO is not a technical or even a compliance role, it is a risk management role that requires subject matter expertise in the nature of an organization’s risk and the means required to mitigating. And even more important is the ability to translate risk into the language that every C-suite member understands: money.
Balancing Technology and Compliance
Both technology and compliance are critical knowledge areas of an effective cybersecurity practice. In larger organizations, cybersecurity requires the participation of legal, compliance, human resources, and technology. For the champion of this effort, the CISO, the most important aspect the person can bring is strong capabilities in risk management. Risk management, understanding the nature of the risk, the likelihood of it, and the cost of the risk happening, versus the cost of mitigating – is the core formula of a successful cybersecurity program.
Risk management strikes the balance between too much focus on technology and too much focus on compliance. When we bring too strong of a technology focus, we tend to err toward more systems, products, and services to solve perceived risks. We’ll buy the latest XDR, SIEM, CASB, or other hyped acronyms, hoping we can fill all possible security gaps by simply buying things.
Two immediate problems can result. One, too many technologies almost always means they are not being used effectively. Keeping a team current to ensure everything is configured correctly is expensive in itself – and after paying all the licensing, it might be the cost that is skipped by the business. Second, we may have created a security program that is more expensive than the actual risk it’s protecting us from. This means we’re protecting ourselves from potential future losses with actual present expenses.
Rather than buying our way to security, we’re instead auditing our way there. We pursue certifications and ensure we’ve designed effective controls and can prove our teams are following those controls one to four times a year. This can rapidly become “check-the-box” security – meaning we’re doing the bare minimum at every point to meet the compliance requirements. But we aren’t making cybersecurity part of our culture. We’re also leaving truck-sized gaps in security where compliance standards haven’t kept up with the creativity of cyber threats.
Why is a risk management approach the solution? Because at its core are two concepts – creativity and cost justification.
Creativity
Creativity isn’t a word many people would associate with risk management, but the reality is, good risk management requires creativity. In the world of risk management, we must be thinking about all the things which can go wrong. We must dream about worst-case scenarios. There’s a seemingly unlimited range of things that can happen and have a negative business outcome. Creativity is a key skill in thinking of these. If we think about cybersecurity risk, the bad actors themselves are going to be creative. They will try new ways to get in because the old ways have already been blocked. Cybersecurity defense must be met with equal amounts of creativity.
Unrestrained creativity has its downside, though. We can think of events that would be unlikely to happen, and if we try to protect against everything we think of, we would not be able to afford to run our business. Most companies do not include a meteor strike in their risk plans (unless they build satellites), even though it is a risk to all companies. It is just such a statistically unlikely risk, it does not even make the risk register. So, we consider the other risk manager’s skill: cost justification. The formula we discussed earlier – the chance of the risk times the cost of the risk compared to the cost of mitigation – becomes the threshold of which of the ideas we can imagine we also write down.
Cost Justification
Having a risk management mindset means the CISO will be able to assess the likelihood of technical risks and calculate the business impact if the risk were to become a reality. This approach can provide the cost justification to decide the most effective way to mitigate the risk.
Are there market solutions that cost less than the impact? Is the risk itself small enough so it is cheaper just to pay the cost if it happens? Can the cost of mitigation be shared with other risks?
Having a good understanding of the cost of the risk, and confidence on whether any real risks have not been missed, the CISO can then have a meaningful conversation with the CEO, CFO, and other business leaders on a recommended strategy. The Modern CISO is not going to ask for money just because the business “needs” some cybersecurity program. Rather, the CISO is going to the business and showing how the investment of X dollars will prevent the loss of Y dollars.
Just as a business will invest in future gains, it should also be willing to invest in preventing future losses.
Summary
Technical and compliance backgrounds are important, as they frame the nature, likelihood, and type of risk, but they alone do not give the CISO the best vocabulary to explain the importance of the program to the business. Having a CISO well-versed in the language and skills of Risk Management helps ensure that the business is having that vital conversation. It also allows the CISO to earn the trust of the other business leaders when they can “show their work” in terms of cost justification. This makes all future requests for funding simpler – the risk and cost justification should be the standard way of communicating.
All in all, CISOs gain experience from a variety of backgrounds. Having strong technology and compliance understanding is critical to success. But when CISOs begin to adopt risk management as their primary skill and “business language” they will find it is easier to advocate for and support their programs. And this, in turn, will make their companies safer and have fewer risks become a reality.