As the CISO, how do you get others in the business to take ownership of some of the risk, rather than assuming all the risk yourself?

2.8k views1 Upvote5 Comments

CISO, Whole Foods Market in Software, 10,001+ employees
Being very surgical about the impact, probability, likelihood and all that wonderful stuff, and over communicating that.  That has worked for me. I report to the CTO who reports to the CEO, so I’m pressed to answer, “What is going to move the needle, what is the value, what is the impact of not doing investment in digital?  Also, you should work with the legal folks, compliance, enterprise risk.  Get those people to understand what we're trying to articulate.  You should also add some data points with a comparable scenario… for example, a retailer our size in the Midwest went to do something very similar, and this was the fallout.  I'm not going to go to zero in terms of the risks I am personally taking on, but I'm significantly reducing it and if something does happen, it's because there's a black swan. Nobody likes to hear that about the black swan event, but let's be honest. There's no way you can give me enough funding to say that I'm going to accept 100% of the risk.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
I think BOD understand our core services; we protect against the bad actors.  WIth the financial compression of the market, now they want to understand how we add value and enable the ecosystem.  Once we begin positioning security as an enabler we enable different ways to engage and view risk.
Senior VP & CISO, 10,001+ employees
My first thought process when I started on my career in cybersecurity was, "Why exactly does the CISO own the risk?”  We don't own the infrastructure that we're responsible for securing. We don't own the data that needs encryption and access control.  So, why exactly is the CISO the one taking the fall?  For me, I feel that it’s my job to appropriately expose the risk.  That's my job. I'm a risk evangelist. We co-own the risk in the sense of it's my job to make sure I'm evangelizing it. It's your job to make sure you're fixing it.
Board Member, Advisor, Executive Coach in Software, Self-employed
I don't think you can transfer risk to the business. I think it's always co-owned, because if the business accepts it, we own cleaning it up if it manifests. So either way you can't get away from the ownership of it.  You still own it at the end of the day if it hits. No different than the general counsel. They don't own every aspect of stupid things people could do that generate legal risk…but at the end of the day, they're the butt in the seat managing it, right?  That's why I look at the role that way. That's why you can't separate it, right? If we want that executive seat, we've got to act like the general counsel, act like the CFO who goes, "You know what? If we whiffed on revenue, it doesn't matter that the sales guy forecasted it wrong.  I own the financial reporting. I own the forecast to the street." You can't walk away from it.
1 Reply
CISO, Whole Foods Market in Software, 10,001+ employees

I think some of it could be jointly owned between the CIO and the business, the head of infrastructure and the business. I think you can be a messenger where somebody's got to take ownership of cleaning up and someone's got to own it.  It doesn't always have to be the CISO, depending on the organization, of course.

Content you might like

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
70.7k views71 Upvotes41 Comments









1.1k views1 Upvote

Community User in Software, 11 - 50 employees

organized a virtual escape room via - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
8.1k views26 Upvotes58 Comments