Defining an organization's cybersecurity risk is a team effort.

October 11, 2016

Defining an organization’s cybersecurity risk is a team effort, as each department must strike a balance between risk mitigation and budgetary restraints. While an organization’s CISO focuses on cybersecurity, they depend on the C-suite to combine business operations and necessary security measures to find success.

CISOs should understand the enterprise’s potential risk from a broad, holistic view. To help consolidate this information, internal teams can estimate their individual threats in a collaborative process similar to large-scale risk management programs. Because cybersecurity risk level is a shared responsibility, it should not be determined by one team or individual.

Each focus area within a company is responsible for reducing their own types of risk. For instance, a CFO focuses on financial risk, while the CIO targets technology risks that can cause outages. But each initiative comes at a cost. Limited budgets make it difficult to decide which departments should receive funding for their respective programs. As sectors request funding for their own area of interest, CISOs should work with these departments to understand their respective degrees of security risk. This way, they can obtain funds for both the initiatives themselves as well as the security needed for implementation.

Without an understanding of the potential impact of cybersecurity risk, it’s nearly impossible to define risk tolerance and, as a result, obtain the funding needed to maintain it. To help define your organization’s cybersecurity risk level, ask yourself these two questions:

1.What specific threats are affecting our company now or in the future?

2.How much risk tolerance are we willing to accept?

Still, the success of a security program can be difficult to measure. Executives may not be willing to invest in an updated intrusion prevention system if they do not know exactly how much money it will save or whether it will improve customer experience. With this in mind, CISOs need to take a different approach when communicating with the C-suite. They must effectively communicate potential threats and estimated opportunity costs, emphasizing that this sector cannot be assessed according to conventional ROI measures.

There are multiple ways for organizations to track cybersecurity risk, but it’s important to note that industry-leading frameworks like NIST Cybersecurity Framework require input from divisions outside the security sector. CISOs can work with executives from other departments to evaluate their technology usage trends and individual problem areas, eventually compiling this feedback to create a comprehensive strategy.

Understanding cybersecurity as a shared responsibility means internal teams must work together to measure both their current and desired cyber risk. Though the CISO plays a vital role in analyzing risk, all C-suite partners must collaborate to voice the unique needs of each department and determine a solution that benefits everyone.

Sean Curran is a director in West Monroe Partners’ Security and Infrastructure practice, based in Chicago. He has more than 20 years of business consulting large-scale infrastructure experience across a range of industries and IT domains, including extensive work in the areas of data and information security.

David Chaddock is a manager in West Monroe Partners' Security and Infrastructure practice. He focuses on large-scale, enterprise applications with a concentration on Information Security and Business Intelligence.

Pandemics, Recessions and Disasters: Insider Threats During Troubling Times

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Industrial Cybersecurity: What Every Food & Bev Executive Needs to Know

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Poll

Who has ownership or primary responsibility of video surveillance at your enterprise?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Assessing Cybersecurity Risk Through CISO and C-Suite Collaboration

Defining an organization's cybersecurity risk is a team effort.

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Assessing Cybersecurity Risk Through CISO and C-Suite Collaboration

Defining an organization's cybersecurity risk is a team effort.

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.