Hard Truths: The CISO Does Not Own Risk

Posted on by

TL;DR: CISOs are part of an organization to build out a risk management program to help measure and treat risk, whether technical, human, or otherwise. The CISO, as a member of the leadership team, then has to help the business understand the risks to make an informed decision about how to proceed. The part of the organization responsible for the risk area is then responsible for selecting the risk treatment. A CISO has failed if they have not properly measured risk and informed stakeholders of them.

Image result for risk advice

Imagine this scenario:

A CEO and a CISO stand in front of a pit of spikes and there is a giant pot of gold on the other side of the pit. The CISO surveys the landscape and informs the CEO that there is a pit full of spikes below him.  The CEO has his eye on the horizon and only sees the pot of gold and wants to run towards it. The CISO informs the CEO of the risk and options on how to get to the pot of gold. If the CEO decides to run at the pot of gold despite the warnings then the CEO has effectively accepted the risk of landing on the spikes, and the CISO has done his job informing the CEO of the risk.

I acknowledge this is a bit of an extreme example because who encounters pits full of spikes these days?! A great CISO would have not only informed the CEO that there was a pit of spikes, but maybe that there are some spikes worn down by the misfortune of others who came before, and therefore perhaps a safer route over the spikes.  Maybe there is a bridge that can be built over the spikes to get to the other side safely. While the bridge may take more time to build, it would guarantee success at reaching the pot of gold.

In all of these scenarios, the CISO’s job is to identify risk by understanding the business, the technology, and the people. The CISO then must measure the risk and communicate the risk to the business owner of that risk. The business owner can then either decided to avoid the risk, mitigate it, or accept it and proceed accordingly.  One can turn away from the pit of spikes, build a bridge, or decide to accept the fact that it’s a pit of spikes and go for the gusto regardless.

All too often a security incident is immediately blamed on the CISO, but if the CISO has done their job properly then the incident is likely due to the informed decisions made by the appropriate stakeholders. If your CISO is identifying risks and handling the risk acceptance himself then he is setting himself and your organization up for failure.