As the CISO, how do you get others in the business to take ownership of some of the risk, rather than assuming all the risk yourself?

I don't think you can transfer risk to the business. I think it's always co-owned, because if the business accepts it, we own cleaning it up if it manifests. So either way you can't get away from the ownership of it.  You still own it at the end of the day if it hits. No different than the general counsel. They don't own every aspect of stupid things people could do that generate legal risk…but at the end of the day, they're the butt in the seat managing it, right?  That's why I look at the role that way. That's why you can't separate it, right? If we want that executive seat, we've got to act like the general counsel, act like the CFO who goes, "You know what? If we whiffed on revenue, it doesn't matter that the sales guy forecasted it wrong.  I own the financial reporting. I own the forecast to the street." You can't walk away from it.

My first thought process when I started on my career in cybersecurity was, "Why exactly does the CISO own the risk?”  We don't own the infrastructure that we're responsible for securing. We don't own the data that needs encryption and access control.  So, why exactly is the CISO the one taking the fall?  For me, I feel that it’s my job to appropriately expose the risk.  That's my job. I'm a risk evangelist. We co-own the risk in the sense of it's my job to make sure I'm evangelizing it. It's your job to make sure you're fixing it.

I think BOD understand our core services; we protect against the bad actors.  WIth the financial compression of the market, now they want to understand how we add value and enable the ecosystem.  Once we begin positioning security as an enabler we enable different ways to engage and view risk.

Being very surgical about the impact, probability, likelihood and all that wonderful stuff, and over communicating that.  That has worked for me. I report to the CTO who reports to the CEO, so I’m pressed to answer, “What is going to move the needle, what is the value, what is the impact of not doing investment in digital?  Also, you should work with the legal folks, compliance, enterprise risk.  Get those people to understand what we're trying to articulate.  You should also add some data points with a comparable scenario… for example, a retailer our size in the Midwest went to do something very similar, and this was the fallout.  I'm not going to go to zero in terms of the risks I am personally taking on, but I'm significantly reducing it and if something does happen, it's because there's a black swan. Nobody likes to hear that about the black swan event, but let's be honest. There's no way you can give me enough funding to say that I'm going to accept 100% of the risk.