When we think of who takes the risk with cybersecurity, it can help to think of a military mission. Who is taking the risk of its failure?
Is it the general back at headquarters? The overall responsibility, he (or she) would say, lies with him as commander. He is accountable to his men and superiors for the success of the mission.
Is it the colonel in intelligence providing information about enemy forces? If the information he (or she) provides is lacking and leads to the loss of troops or the failure to secure the target, he will carry a lot of the blame.
Is it the captain leading his (or her) troops into enemy territory? He will bear personal risk as well as responsibility for the men and women under his command.
Is it the troops who are following orders? They also are taking risk, especially if they have a chance to express concerns.
Surely, it is all of them. And the people taking the greatest risk are those who are putting their lives at risk.
Who Is Taking the Greatest Risk?
Who, then, is taking cyber risk?
Is it the board and top management, who are deciding how much scarce resource to invest in breach prevention, detection and response? Is it the CRO who provides information to leadership on risk, including cyber risk? Is it the CISO and her team, who actually defend the enterprise? Or is it the business leaders whose initiatives are damaged or worse should there be a security incident?
Surely, it is all of them. And the people taking the greatest risk are the owners of the initiatives and enterprise objectives.
Related Article: Uniting Risk Management With Strategic Planning
Sometimes Taking Risk Is a Good Thing
McKinsey recently published a post on this topic. It raises some interesting points but, in my opinion, misses some critical ones.
What I found especially challenging was the authors’ assertion that many companies have left cybersecurity to the sole purview of the CISO, with little involvement from the risk officer. That can’t be the right approach as the CISO is not the one taking cyber risk.
I agree with McKinsey that there has to be a partnership between operating management, the CISO, the CRO, and the CIO. It takes all of these affected and accountable individuals and teams to:
- Understand the level of risk cyber represents to the organization and its objectives.
- Determine whether that level of risk is acceptable.
- Agree on the appropriate corrective actions, if any.
- Know how to include cyber risk in decision-making, not only by the technical staff but by operating and top management.
- Allocate the right level of resources to address cyber risk given the competing needs of the business and other initiatives.
Sometimes, it is right to take the cyber risk. Better returns may be obtained from alternative uses of scarce resources.
It’s unfortunate that many if not most organizations don’t know how to assess cyber risk in a way that enables it to be compared to other business risks. (I’m working on a book on this topic.) That concept of being willing to take cyber risk is a missing element of the McKinsey discussion. Board members and top executives are familiar with the idea, but lack the tools.
The CRO should work with the CISO to enable leaders to have the information they need to make informed and intelligent decisions. The CRO should work with the CISO to provide the intelligence leaders need to make informed and intelligent decisions before they embark on their missions, plans, initiatives and so on.
Where is the enemy, how strong are they, do they represent a threat to the success of our initiative?
What do you think of the McKinsey piece?
(By the way, I thoroughly dislike the interpretation of the Three Lines of Defense where the risk function is described as a second line function ‘overseeing’ the first line CISO team. The CRO is not there to provide oversight; he or she should be there to provide assistance!)