Defining an organization's cybersecurity risk is a team effort.

October 11, 2016

Defining an organization’s cybersecurity risk is a team effort, as each department must strike a balance between risk mitigation and budgetary restraints. While an organization’s CISO focuses on cybersecurity, they depend on the C-suite to combine business operations and necessary security measures to find success.

CISOs should understand the enterprise’s potential risk from a broad, holistic view. To help consolidate this information, internal teams can estimate their individual threats in a collaborative process similar to large-scale risk management programs. Because cybersecurity risk level is a shared responsibility, it should not be determined by one team or individual.

Each focus area within a company is responsible for reducing their own types of risk. For instance, a CFO focuses on financial risk, while the CIO targets technology risks that can cause outages. But each initiative comes at a cost. Limited budgets make it difficult to decide which departments should receive funding for their respective programs. As sectors request funding for their own area of interest, CISOs should work with these departments to understand their respective degrees of security risk. This way, they can obtain funds for both the initiatives themselves as well as the security needed for implementation.

Without an understanding of the potential impact of cybersecurity risk, it’s nearly impossible to define risk tolerance and, as a result, obtain the funding needed to maintain it. To help define your organization’s cybersecurity risk level, ask yourself these two questions:

1.What specific threats are affecting our company now or in the future?

2.How much risk tolerance are we willing to accept?

Still, the success of a security program can be difficult to measure. Executives may not be willing to invest in an updated intrusion prevention system if they do not know exactly how much money it will save or whether it will improve customer experience. With this in mind, CISOs need to take a different approach when communicating with the C-suite. They must effectively communicate potential threats and estimated opportunity costs, emphasizing that this sector cannot be assessed according to conventional ROI measures.

There are multiple ways for organizations to track cybersecurity risk, but it’s important to note that industry-leading frameworks like NIST Cybersecurity Framework require input from divisions outside the security sector. CISOs can work with executives from other departments to evaluate their technology usage trends and individual problem areas, eventually compiling this feedback to create a comprehensive strategy.

Understanding cybersecurity as a shared responsibility means internal teams must work together to measure both their current and desired cyber risk. Though the CISO plays a vital role in analyzing risk, all C-suite partners must collaborate to voice the unique needs of each department and determine a solution that benefits everyone.

Sean Curran is a director in West Monroe Partners’ Security and Infrastructure practice, based in Chicago. He has more than 20 years of business consulting large-scale infrastructure experience across a range of industries and IT domains, including extensive work in the areas of data and information security.

David Chaddock is a manager in West Monroe Partners' Security and Infrastructure practice. He focuses on large-scale, enterprise applications with a concentration on Information Security and Business Intelligence.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

Assessing Cybersecurity Risk Through CISO and C-Suite Collaboration

Defining an organization's cybersecurity risk is a team effort.

Related Articles

Report Abusive Comment