How highly effective CISOs lean forward with proactive risk management

No executive wants to be blindsided by risks that should have been reasonably anticipated, especially the CEO, CFO, and board members. In the CISO Desk Reference Guide, Gary Hayslip, Bill Bonney, and I wrote extensively about how CISOs play a critical role in contextualizing digital and cyber risks to the organization’s broader enterprise risk management practices. Since the publication of the guide, the importance of contextualizing risk to an organization’s core strategy and initiatives has only increased.

The CISO role is fundamentally about managing risk. Historically, our role centered around relatively discrete areas of IT; namely, networks, operating systems, endpoints, and other devices. My, how things have changed. As the organizations we protect evolved to encompass new business models and adopt new technology, the range of risk factors that must be proactively managed has increased dramatically. It’s how we manage these new forms of risk and their potential impacts to our organizations that make our jobs so intriguing. Few professions demand currency like cybersecurity.

The quintessential challenge for CISOs is that existing risks don’t disappear as newer risks surface. There is effectively an ongoing “dogpile” of risk factors that we must manage. We earn our keep by prioritizing and resourcing risk treatment across a portfolio of risks that likely include new risk factors that don’t have historical context for the organization but require timely and effective treatment. The consequences of this risk-stacking dynamic cannot be overstated. Failure to keep current will result in the organization being blindsided by risks that could have been “reasonably” anticipated. In contrast, failure to do the basics of security hygiene will likely result in a security incident that can only be described as “Why did we not do ‘X,’ ‘Y,’ or ‘Z?’”

Effectively, our security programs need to be agile and forward-thinking while not forgetting the basics. There’s a lot of great advice in our community on developing security programs to address foundational security – the table stakes. But our role demands much more. I’ve always been curious as to how CISOs address new risks, those that seem to surface out of left field and catch companies flat-footed. I’m fortunate to live in a community where CISOs proactively collaborate and to have had a tenure at Gartner, where I spoke with CISOs from across the globe. I remain indebted to the community’s insights and perspectives on effective risk management.

This past quarter, I delved into this fundamental question: “How do CISOs rapidly evaluate and resource risk mitigation for new risks to their organizations while not undermining current activities and initiatives?” To help answer this question, I spoke with colleagues from disparate sectors. Each of these CISOs run large, multi-national security programs and are, in my opinion, some of the best in our profession. I wanted to distill their collective wisdom on how they proactively manage and resource effective cybersecurity risk management programs within their organizations.

Be seen and communicate effectively

The CISO role should not be buried deep in the org chart or behind a desk. The CISOs I spoke with are all exceptionally good communicators and skilled businesspeople. These CISOs are actively engaged, not only with their teams but, importantly, with their colleagues throughout the organization. In certain cases, this engagement was formalized with monthly status reviews with these stakeholders. For many, this engagement combined structured reviews with highly effective “water cooler” discussions that allowed risk topics to be addressed informally (where circumstances warranted). These CISOs have an intense curiosity about their business, their industry, and the initiatives of their colleagues. Formal risk discussions included standing agendas with corporate risk committees and direct communication [CM5] with senior executives and the board. None of the CISOs went more than a month without some formal discussion on risk with key stakeholders. Every CISO emphasized the importance of maintaining a risk register to capture and track the status of identified risk factors and their treatment between these conversations.

Like so many other CISOs, this group is actively engaged in their regional CISO communities. These networks, be they informal or formal, are integral to keeping current with the threat landscape, effective responses, and the shifting dynamics of the role. I can personally vouch for how effective these communities are. I truly value my membership in the San Diego CISO Roundtable. Beyond community engagement, these CISOs were students of the industry and voracious readers.

Relate technology and cyber risks directly to the business

We work in a profession where new forms of technology constantly cross our desks. Whether it’s innovative uses of generative AI, the advent of microservices as an integral part of modern cloud architectures, or new must-have applications, our role has visibility into technological change that simultaneously provokes curiosity and paranoia as we quickly jump to our default mindset — “How will this be exploited?” Our proverbial “attack surfaces” seem to expand by the day.

The CISOs I spoke with were keenly aware of this dynamic. Maintaining currency was not left to chance.

They run highly effective, risk-focused security programs and are experts at relating technology, digital, and cyber risks to the business and its initiatives. These were not “the sky is falling,” over-the-top discussions to create fear with their colleagues. These were prudent, business-risk discussions that contextualized identified risks in terms of enterprise impacts – be they to finances, operations, reputation, or the omnipresent regulatory challenges we all confront. As an example, several CISOs described their discussions with organizational leaders regarding generative AI systems and the implications for their organization’s intellectual property (IP) if sensitive corporate data is loaded into these applications. While risks were conveyed in terms of business impacts, they were also quantified, and their impacts were not obscure. These CISOs excel at managing corporate resources and knowing the financial implications of their proposed risk mitigation recommendations.

Be effective stewards over corporate resources

Our security programs need to produce business value — be it reducing risks to agreed-to tolerances, ensuring compliance with regulations or contractual obligations, or highlighting how their effectiveness facilitates business development and client onboarding. This business value must be quantified. These CISOs highlighted the value of proactive business engagement to help finance risk treatment when new risks are discovered between budget cycles. Their acumen at managing professional security budgets cannot be overstated. All CISOs emphasized the ability to analyze inherent risk (prior to risk treatment) and the residual risk that remains post-control implementation. They understand and communicate the financial costs of “buying down risks.” This financial acumen engenders trust and confidence with senior executives, notably the CFO. These CISOs effectively had a reserve of goodwill with senior colleagues that could be called upon when new risks require material resources (be it financial, personnel, or time commitments). 

Unsurprisingly, these CISOs were well-versed in the status of the firm’s security portfolio of applications, tools, and services. Rationalizing these applications was integral to proactive cyber risk management. Renewal and expiry dates are used religiously to cull older security tools, services, and applications that should be led to pasture to free up resources for new security services that are more reflective of the organization’s actual risk and threat landscape.

As the applications and services we rely upon to run our organizations continue to move to new technology, keeping our security tooling current requires continuous diligence. Our adversaries use automated techniques that operate at machine speed. This puts enormous temporal challenges to our security stack and timely response when risks materialize. The strategies these CISOs conveyed are clear examples of lean-forward risk management. Our profession requires nothing less.