Who decides how much security risk to take for a specific system?

Security & GRC

Chief Information Security Officer35%

Chief Information Officer34%

Chief Risk Officer12%

Chief Executive Officer6%

Board3%

System Owner4%

Others (Please specify)2%

1409 PARTICIPANTS

11.5k views3 Upvotes23 Comments

Director Of Information Technology in Construction, 51 - 200 employees

I believe this to be a combined effort between the system owner, CIO and Board/CEO. The system owner should always try to secure a system the best available tools, however, resources and budget might change the avaibility of this tools

CIO, Self-employed

It is like asking how much insurance do you need. It really is a call by the CEO and/or the board. System owner/CIO/ciro can only recommend

CIO/Project Management Office in Software, 1,001 - 5,000 employees

Depends on the risk.
As with expenses, anyone beyond the CEO / Board has a level of risk they are willing to take on in their role. Once that level is defined, their job is to deliver the best approach. I personally try to insulate the company from any risk where I can either solve it through negotiation in the contract, or by providing an alternative up front.
If I can’t see the way out clearly, I escalate and recommend.

CEO & Founder in Software, 11 - 50 employees

It depends on the criticality of the system and the risk associated with it getting compromised. Generally, the mature organizations has some assessment matrix that helps quantify the risk and based on the severity it could be a simple decision by the CIO or a compound decision by CIO/CISO/and CEO. The end game is about risk mitigation and protecting company assets.

Consultant - Data Governance and IT Security Program Manager in Finance (non-banking), 1,001 - 5,000 employees

Corporate risk aptitude is set by board. CIO sets the guidelines for risk mitigations and CISO will oversee the solution implement to mitigate risk for individual systems.

Chief Cloud Officer in Software, Self-employed

This is a decision made by the business leadership (CEO, Board) based on feedback and guidance from the CISO. The cost of security is weighed against the potential cost of an incident and a business decision made. From what I have seen in recent large scale incidents, the cost of,potential incidents may be perceived as a cost of doing business and built in the pricing of the product or service. Take the Equifax breach. Huge in number and impact to consumers but little or no impact to Equifax. I can site many more examples like Target. I know this opinion is not popular.

CISO in Software, 1,001 - 5,000 employees

I like what the others are saying; ultimate risk decisions belong to the Board, informed by the CISO and application owners. What's critical to examine are implicit risk decisions made by system owners, network resources, et al. who (innocently enough) choose to open a port, add a service, skip a patch, etc. - effectively making liberal risk decisions for the company without adequate oversight.

4 1 Reply

Chief Information Officer in Manufacturing, 10,001+ employees

I agree, the Board has to examine the risk and make a decision whether it's an acceptable to risk and what level it should be considered with input from the CISO. Been in that situation a few times.

CIO/Project Management Office in Software, 1,001 - 5,000 employees

Its strange how the posts mostly say this is a board / CEO decision but the survey clicks point to CISO or CIO

3 2 Replies

IT Operations Manager Oetiker Group in Manufacturing, 1,001 - 5,000 employees

I also found that odd, but to be fair there are more votes than posts. And it's much easier to click a button rather than type out your own thoughts.

It's clear that the risk level must be approved by the CEO / Boards. They in the end have to answer to shareholders/owners if the risk becomes actualized.

Former CISO, VP in IT Services, Self-employed

I find it odd as well George and Justin - the votes do not match the comments.

The management of and acceptance of risk is ultimately a Business Decision, where depending on the level of risk and scope of exposure the review and action decisions are owned by a Business risk committee informed by the CIO and CISO.

Further with the new SEC rules looming on the horizon - the Risk Management and decisions will be owned by the Board of Directors and Risk Management Committee.

A recent example is the "Password Manager" breach where the CEO responded to communication criticisms (representing the business) and has committed to improvements in the business.

CISO in Software, 1,001 - 5,000 employees

I like what the others are saying; ultimate risk decisions belong to the Board, informed by the CISO and application owners. What’s critical to examine are implicit risk decisions made by system owners, network resources, et al. who (innocently enough) choose to open a port, add a service, skip a patch, etc. - effectively making liberal risk decisions for the company without adequate oversight.

4 2 Replies

Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees

Great point. It’s important to develop policy that requires these types of changes to go through formal processes, including opening up a ticket and formal approval. If patching needs to be skipped for a month then it needs CISO approval. The process needs to be lightweight so it will be followed. Getting everyone trained up on how the policy applies to them is key. Risks can still be introduced but the more unobtrusive layers (SIEM alerts, patching dashboard…) the better.

vCIO, Infrastructure Architect, Manager in Services (non-Government), 1,001 - 5,000 employees

You governance council should *always* be outside of the IT/IS organization, should include senior IT/IS, and should be aware of:
Risks
Risk level assigned
Ownership
Remediation plan if not an acceptable risk.

IS's job is to bring awareness to and correct the problem. We can tell the company how we would do things, but ultimately we are at the peril of the budget and corporate willingness.

IE - Info sec thinks that the company doesn't have a 3rd party phishing simulation and remediation program is a high risk that needs remediation in the next 6 months. Your Governance Council might feel that some basic awareness training delivered bi-annually is sufficient. Those are now on record and when you have to explain why a user was compromised, and gave away 5K in google play cards in $100 increments to ceo-email@ymail.com IS has their butt covered.

Chief Security Officer in Software, 10,001+ employees

We set ownership of risk as a combo of the CISO and the business owner. The CISO is the one who gets the call if there is an incident. The business owner gets asked the questions of why they prioritized the risk in a certain way and is responsible financially.

Content you might like

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & Leadership Strategy & Architecture Cloud +57 more

CTO in Software, 201 - 500 employees

Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

142 19 Replies