Assessing Cybersecurity Risk Through CISO and C-Suite Collaboration

Defining an organization's cybersecurity risk is a team effort.

Defining an organization’s cybersecurity risk is a team effort, as each department must strike a balance between risk mitigation and budgetary restraints. While an organization’s CISO focuses on cybersecurity, they depend on the C-suite to combine business operations and necessary security measures to find success.

CISOs should understand the enterprise’s potential risk from a broad, holistic view. To help consolidate this information, internal teams can estimate their individual threats in a collaborative process similar to large-scale risk management programs. Because cybersecurity risk level is a shared responsibility, it should not be determined by one team or individual.

Each focus area within a company is responsible for reducing their own types of risk. For instance, a CFO focuses on financial risk, while the CIO targets technology risks that can cause outages. But each initiative comes at a cost. Limited budgets make it difficult to decide which departments should receive funding for their respective programs. As sectors request funding for their own area of interest, CISOs should work with these departments to understand their respective degrees of security risk. This way, they can obtain funds for both the initiatives themselves as well as the security needed for implementation.

Without an understanding of the potential impact of cybersecurity risk, it’s nearly impossible to define risk tolerance and, as a result, obtain the funding needed to maintain it. To help define your organization’s cybersecurity risk level, ask yourself these two questions:

1.What specific threats are affecting our company now or in the future?

2.How much risk tolerance are we willing to accept?

Still, the success of a security program can be difficult to measure. Executives may not be willing to invest in an updated intrusion prevention system if they do not know exactly how much money it will save or whether it will improve customer experience. With this in mind, CISOs need to take a different approach when communicating with the C-suite. They must effectively communicate potential threats and estimated opportunity costs, emphasizing that this sector cannot be assessed according to conventional ROI measures.

There are multiple ways for organizations to track cybersecurity risk, but it’s important to note that industry-leading frameworks like NIST Cybersecurity Framework require input from divisions outside the security sector. CISOs can work with executives from other departments to evaluate their technology usage trends and individual problem areas, eventually compiling this feedback to create a comprehensive strategy.

Understanding cybersecurity as a shared responsibility means internal teams must work together to measure both their current and desired cyber risk. Though the CISO plays a vital role in analyzing risk, all C-suite partners must collaborate to voice the unique needs of each department and determine a solution that benefits everyone.

Sean Curran is a director in West Monroe Partners’ Security and Infrastructure practice, based in Chicago. He has more than 20 years of business consulting large-scale infrastructure experience across a range of industries and IT domains, including extensive work in the areas of data and information security.

David Chaddock is a manager in West Monroe Partners' Security and Infrastructure practice. He focuses on large-scale, enterprise applications with a concentration on Information Security and Business Intelligence.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.