Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Information security managers and CISOs often report that all risks are bad and need mitigation strategies. When communicating these strategies to business leaders, they present risks that demonstrate a deep understanding of the technical challenges and adversaries the business faces. Yet, oftentimes they overlook the fact that the person best placed to understand and choose whether to accept or manage a risk is the organisation’s CEO or board.
Let’s explore why CEO and board empathy is one of the most important attributes a CISO or security manager can have when explaining and presenting a strategy to manage information security risks.
CEOs make risk-related decisions every day. Deciding whether they should enter a new market, acquire a competitor or invest in a new product, all require the CEO to understand the risks and weigh them up against potential rewards.
For this reason, security leaders need to focus on reporting the business context of risks to the CEO and board, since strategic risk management is the lifeblood of business strategy. However, cyber and information security risks are often presented to the CEO as technical or compliance risks, where even the realisation of the risk into an issue has little strategic impact on the material future of the business.
Most business owners know that having a low risk appetite often means low returns, which is why the attitude of CISOs and security managers has the effect of off siding them with the board. In fact, history has shown that where one viewpoint might be that something is too risky for the business and should be shut down, an opposing strategic viewpoint is that it should be embraced and made the new norm. Losing the strategic context is easy when you are faced with an overabundance of operational risk, but it’s this tactical focus that makes CEOs view their security leadership in an unfavourable light.
Take the concept of Shadow IT as an example. This article in Wired shows that, as the headline states, “A Little Rebellion is a Good Thing: The Rise of Shadow IT.” Within the last five years, agile research projects have been springing up everywhere in businesses, with teams often looking to cloud service providers to deliver capability that the internal corporate IT team would or could not provide. Then when security got involved, concerns were escalated to the board, with countless presentations showing critical security risks citing loss of control, greater attack surface and blatant disregard of corporate policy as reasons to shut things down.
Yet if the business embraced the desire of its most forward-thinking team members to innovate and experiment, an approach that allows the business to mitigate these risks while providing the capability could be adopted. In that way, the organisations that learned from shadow IT and managed these risks in a positive way created value from the initiative taken in the business.
Clearly, without proper risk management, shadow IT has the potential to introduce catastrophic failures, but the risks highlight that the business lacked some fundamental flexibility in its approach to IT services provision. So, the cry for help was noted and the risks were reframed as opportunities, and security charged with ensuring cloud services could be leveraged with a security framework in place to control access, monitor usage, reduce the attack surface and ensure technical security controls were pervasive both on premise and in the cloud. This is how real strategic security risk management should work.
Security that is too focused on preventing risks blocks the things a business is trying to do. This doesn’t help the business succeed since there is often a good reason they are trying to introduce change. When the security function in the business acquires this negative reputation, colleagues avoid engaging them, which results in even riskier behaviour.
CISOs must encourage different ways of managing risks, such as protective monitoring solutions that improve the organisation’s approach to monitoring systems that are of a higher potential risk, with a focus on detecting anomalous behaviour or misuse; this helps the business meet its strategic objectives while simultaneously keeping them safe. Rather than saying no every time a change is proposed, say, “Absolutely yes, but we need to include the following capabilities in the solution to allow us to monitor those services from our security operations centre.”
The security team can then introduce the requirements relating to people, processes and technology into the architecture, design and productionising of that service to make it enterprise fit. This is security working as a strategic enabler to the business, where the rewards for risk taking are realised through collaboration across the technical, business and security teams.
The goal of the CISO is to transform the way the business views cyber and information security risk, shifting the organisation’s collective mindset from risk prevention to risk management, offering support to the business through new ways of helping nurture innovation. Cyber security must be developed as a business enabler that allows the business to act rapidly, where capabilities like protective monitoring and real-time threat detection are used to scrutinise what’s going on within a system rather than blocking access.
If CISOs can change the security conversation to being supportive and enabling, then security will gain acceptance at board level and will stop being seen as nothing but an overhead that the business must tolerate.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.