In today's world, the most successful CISOs would agree that cybersecurity is an enterprise risk/business risk issue much more than an IT issue. This approach causes us to focus on the `what' and `why' before we start looking at the `how'. We are first focused on solutions to business issues and then we deal with technological solutions.
Today, many companies are in the early stages of broadening their cybersecurity practice into a cyber risk practice and how integral it is for businesses to meet their trust commitments to their customers. According to a 2017 PwC study, just 9% of executives believe their organizations have what they'd characterize as a "high" or "very high" cyber risk maturity. Part of this could be due to the organizational dilemma that the CISO needs to manage.
Cybersecurity/cyber risk management is tightly connected to a company's enterprise risk program. And it can create a level of tension between the CISO and CIO. Both have the same goal - the success of the company. But how it should be accomplished (e.g. risk mitigation vs. operational performance) can conflict. The CISO needs to focus on addressing/minimizing business risk, which at times can conflict with operational priorities. This can often occur when assessing and remediating vulnerabilities and the impact that can have on service delivery and performance metrics.
With risk being the focus, it makes sense for CISOs to report to the organization's Chief Risk Officer, explains Steve Katz, the world's first CISO at Citigroup who had also been the security executive at JP Morgan and Merrill Lynch.
"If we view the world of the CISO as the Chief Information Risk Officer, then we are focusing efforts on reducing business risk where security is embedded in the process" said Katz, who is currently the Owner of Security Risk Solutions, LLC and mentors a number of CISOs. "In highly regulated industries, such as finance, healthcare and energy, the CRO is responsible for overseeing market risk, operating risk, financial risk, product risk, etc. Security is a key component of operating risk and really has to be viewed through a business risk lens," added Katz, who will be speaking at HMG Strategy's 2018 New York CISO Executive Leadership Summit on April 5, 2018 at the Grand Hyatt New York.
CISOs need to be "trusted business advisors" that help companies to define their risk appetite and to identify alternative ways to mitigate risk in ways that are understandable to the C-suite, explains Katz.
"Also, by having the CISO report to the risk area, you move away from the notion that security is a technology issue, and moves it into the realm of business risk," Katz added. "It's really a difference in perspective. You need to take the emphasis off of it as a technology problem. Technology is how it's going to get accomplished while the risk issue requires more of a business focus of what and why. By reporting to the CRO, you stand a better chance of getting the C-suite to understand the risks associated with cybersecurity."
A Split Role for CISOs
Despite the risk management bent for cybersecurity, CISOs will still need to retain technological skills. The challenge is the more that CISOs move into a `risk role', the more likely it is that the level of technological skills required will move from `expert' to `proficient' to `knowledgeable'.
"Going forward, I think we will see a split role," said Katz. "Having the CISO act as both the Chief Information Risk Officer and as the Chief Information Technology Officer is a daunting challenge. Some CISOs have done an amazingly good job of balancing the two. Others have hired a solid technology person to back them up."
To help ensure that cybersecurity and enterprise risk strategies are brought into alignment with one another, Katz recommends an extensive cyber risk awareness program directed to business executives and the C-suite. He also recommends implementing a series of tabletop exercises to test potential incidents and to make sure that executives and other participants are brought into the exercise to develop adequate muscle memory to respond to and resolve issues as they arise.
"When (former NYC Mayor) Rudy Giuliani was interviewed after 9/11 as to why things went as smoothly as they did, he pointed to how city agencies had developed an incident response playbook and tested it and tested it over and over again until they had it down to muscle memory."
To help guide a company's risk appetite, Katz says that the most successful CISOs he's seen clearly explain cybersecurity/cyber risk issues and solutions to the board of directors and make sure that they know that risks are being mitigated, not removed.
"The key to guiding the company's risk appetite is by measuring what the impact is to the company itself, to the customer, what the financial impact is as well as any impact on shareholder value or the brand," said Katz.
CISOs can then assess risks using "high-medium-low" parameters. "You create a risk predictor process which includes determining the impact of one risk over another," said Katz. "There are many issues where you're going to have to accept the risk since the cost to correct or mitigate the risk might be greater than the potential impact itself. It's really a compass and not a clock for gauging the risk appetite."
Addressing the Needs of the C-suite and the Board
Katz offers several recommendations for CISOs and CROs to ensure that they're collectively meeting the needs and interests of the C-suite and the board of directors. "This is where soft skills become incredibly important." For CISOs, this includes the need to be the chief evangelist of the company's security and cyber risk strategy.
Katz advises that CISOs and CROs should carve out one-third of their time to meet with business leaders, the C-suite and the board to build a level of credibility. This includes taking the time to develop a thorough understanding of how the company operates.
"One of the first questions I ask a CISO when I mentor them is why should your company have a security program. In too many cases, I don't get a very good answer. My next set of questions focus on how does your company generate revenue/earnings? Again, there is often too little understanding by the CISO. To communicate well with the C-suite and the board, the CISO must understand what the company does, what they're focused on now and, going forward, to use the same terminology that the executives and Board are accustomed to," said Katz.
In addition, communications with the C-suite and board must not be restricted to getting in front of them only when there's a problem. "It's also about helping them to understand what you as the person in charge of cyber risk is doing, why you're doing it, how you're bringing benefit to the company and recognizing that you are being paid to provide an effective level of advice."
In the end, it comes down to basic relationship building so that CISOs are recognized as valued contributors to the C-suite. "What I see with many CISOs is that too many CEOs have no idea who the CISO is and there's no means of communications," said Katz. "You have to be out there evangelizing and be part of the company. You are either a part of the C-level of management or you are not."
To learn more about Steve Katz and other executives who will be speaking at the NY CISO Summit, click here.