Defense in Depth
CISOs DO Own the Risk

CISOs often feel excluded from company leadership. But do they need to step up and own risk to do so?

Check out this post by Allan Alford, host of The Cyber Ranch Podcast for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Ross Young, CISO-in-residence, Team8. Our guest is Jeroen Schipper, CISO, Gemeente Den Haag.

Creating authority

Before CISOs can effectively manage risks, they must establish their authority. Gabe Silva of Manasec pointed out that there is often a chicken-and-egg dynamic where "CISOs never claimed risk because they had no authority, compared to CISOs were not given authority because they claimed no risk." The key is for CISOs to proactively assert their expertise and align with the organization's priorities. Jordon Kelly of Re-Thinking the Human Factor also highlights the importance of clearly defining roles, responsibilities, and accountability when it comes to risk management, noting that "if a risk owner holds overall accountability, then whatever that risk is, if it exceeds a threshold for any reason, that would mean that nobody other than the risk owner can be reprimanded, disciplined or removed from the role in that instance." CISOs must navigate this complex web of authority, alignment, and accountability to drive risk reduction initiatives within their organizations.

Don’t reinvent the wheel

CISOs fail to leverage the existing expertise and tools from traditional operational risk management, according to Scott Ernst of Brown & Brown. "Quantifying operational risk and its financial impact has been the language of risk management and the language of the C-Suite and the Board of Directors for decades," noted Ernst. By tapping into this established discipline, CISOs could more effectively communicate risk in terms the business understands. Cyber risk should be managed as a business risk, not siloed under the CISO. 

Accountable for quality

CISOs struggle with the perception that their role is to manage cyber risk within an organization. Duane Gran of Converge Technology Solutions Corp. challenges the notion that CISOs "own the risk," arguing that legal counsel or the CFO don't own the risk of getting sued or missing revenue targets. Instead, Gran believes, “We should be accountable for the quality of our advice and leadership.” CISOs must view their role through the lens of "near-peers," like the CFO or CTO. "They all put their neck on the line for how they manage different types of risk," said Rich Mason of Critical Infrastructure. The key question is whether the CISO is "risk-consulting or risk-managing" - the former may limit their ability to sit at the table.

Make the distinction clear

The distinction between "owning" and being "accountable" for risk is an important one to establish as a "golden rule." Peter Berlich of Fernfachhochschule Schweiz cautioned against “co-owning risk.” This could become "a recipe for diffusing accountability." Berlich clearly distinguishes "owning the risk process ≠ owning the risk, the latter to be owned by the business." The CISO should provide expert guidance, recommendations, and accountability for the security-related aspects of risk while ensuring the business owns and manages the overall risk landscape. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our other unwitting contributors: John Mumford of Fellsway Group and Paul Watts of the Information Security Forum.

Listen to the full episode.

Thanks to our podcast sponsor, Fenix24 and Conversant Group

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us Friday [01-24-25], for "Hacking Platformization"

Join us Friday, January 24, 2025, for “Hacking Platformization: An hour of critical thinking of how stitching together data, tools, and processes is necessary for the success of your security program.”

It all begins at 1 PM ET/10 AM PT on Friday, January 24, 2025 with guests Elad Koren, vice president, product management, Palo Alto Networks and a special guest (that means we’re still in booking mode). We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Palo Alto Networks

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Quincy Castro, CISO, Redis.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

"Get far away from SOC?" (More here)

"Could a malware possibly inject itself into a BIOS?" (More here)

"Why are you still in this field?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [01-24-25] Hacking Platformization

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.