THANK YOU FOR SUBSCRIBING
At risk of stating the obvious, I’ll state something that should be easily recognized, though I imagine not often fully considered. That is, that Cyber risk decisions are business risk decisions. With every configuration change, technology implementation, staffing hire (or reduction), cloud adoption, API integration, security architecture decisions and so many other facets of information security, it becomes clearer that they are deeply interwoven into the very fabric of the organization. Service delivery, revenue generation, brand, the ability to execute on day-to-day operations, and even culture are all intertwined with those cyber program elements. That is not to say that the CxO should or wants to be knee-deep in those program elements, but executives need to trust that the CISO and his/her team fully understand how their decisions impact and support the organization and its risk tolerance.
Short of having unlimited budget and staffing, which is unrealistic for nearly all organizations, each decision to address risk represents an opportunity cost. And opportunity costs need to reflect a firm appreciation for where time and spend can best be allocated, given a list of value-added priorities and strategies to execute against. This is why creating business cases for any spend is so critical, given the plethora of opportunity costs that every investment represents.
“Regardless of the framework selected (NIST CSF, ISO27001/2, CIS-20, etc), an effective cyber risk management approach will have a collaborative and relationship-focused mindset.”
Based on an older Forbes article, I understand that the previous CEO of Caterpillar (Doug Oberhelman) had a sign in his office that read: “A desk is a dangerous place from which to view the world.”I would venture to say that those words of wisdom should be front and center for every executive, across every organization. This is especially true for Information Security executives, as we seek to understand how our team’s priorities should be established against identified opportunity costs, and to develop comprehensive Cyber risk management strategies. Admittedly, my younger self in early Infosec leadership roles thought that the view from my desk was pretty good and was all that was often needed. Collaboration was comprised of speaking with those on my team and identifying applicable threats and risk exposure from gaps in the program. From an opportunity cost perspective, views of the world (or at least my little slice of it) were narrow and therefore limited my ability to be strategic in a holistic approach that could properly influence cyber risk decisions in the context of the broader business. Simply put, it’s hard to protect the business if you don’t understand the business.
A story I’ve shared in some industry presentations is that even some initial “successes” in getting buy-in from an Executive Committee providing funding for >90 percent of my recommended three-year roadmap became a significant challenge because I had failed to view the world away from my desk and engage other leaders in that roadmap creation. So, while funding was approved, my team’s ability to execute on those initiatives was tied largely to dependencies on other areas of IT to test, deploy, and sometimes even administer the solution. As you’ve probably guessed, those teams had competing priorities of their own that prevented them from committing the resources necessary for my team to deliver against our approved roadmap within the timeframe proposed. That led to increased conflict (which I’ve heard defined as “two or more people living in the same zip code”), and were powerful lessons learned.
The intersection for what I’ve shared between building relationships and cyber risk management exists simply in the recognition that risks cannot be addressed in isolation, and that a collaborative approach is absolutely required for Information Security leaders to allow the business to understand the risks they face, as well as the implications of opportunity costs from decisions to mitigate, transfer, or accept those risks into or out of the organizational fabric. Regardless of the framework selected (NIST CSF, ISO27001/2, CIS-20, etc), an effective cyber risk management approach will have a collaborative and relationship-focused mindset at its core that engages various stakeholders for their initial input, ongoing feedback, and a mechanism for continuous assessments that capture risks across the ecosystem from cradle to grave.
If wisdom is the application of knowledge, then one might argue our Cybersecurity profession as a whole is still in high school in terms of our understanding of, and integration into the business. As we collectively mature and widen the net in partnering with as large a part of our organizations as possible, attaining a more balanced approach to cyber risk management will better yield the results we all seek, while simultaneously moving from the teenager who knows everything about everything to a college graduate who has recognized that there may just be someone smarter in the room. So here’s to a career of learning for us all that will lead to deeper value in the organizations we serve, and perhaps even a hard knocks Doctorate degree as we pursue that Cyber Risk Management wisdom.