What should CISOs improve in their approach to risk management?

1.8k views5 Comments

Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees
The challenge is that I'm presenting risk to the business and the business is telling me it's not real or they don't care. I’m managing around those statements, so I'm going to lock it down as best I can and make sure I secure around the environment. My job is to inform them so that they can make an informed decision. But if it's mine to manage Malcolm, most of us are doing a good job. What we're not doing is communicating and making them care.
1 Reply
Board Member, Advisor, Executive Coach in Software, Self-employed

I agree. Risk acceptance is a business process, it's not a control.

Board Member, Advisor, Executive Coach in Software, Self-employed
The people who can take the most risk with the fewest consequences make the most money. So in IT, we have to be the best risk takers. But when large-scale breaches like Colonial Pipeline happen I think, "What's wrong with us as a security profession that we're not better able to take risks and manage them?" Because we're the ones who are at fault. The business is taking risks and we're doing a bad job of managing them.
1 Reply
Director of Security Operations in Finance (non-banking), 5,001 - 10,000 employees

I disagree that our job is to manage risks because that’s only half the statement. Our job is to manage risk to a level that is acceptable to the business. If you tell me I get to manage risk myself, no risk will come through in security, because I will lock this place down.

CEO and Co-Founder in Software, 51 - 200 employees
CISOs with a true tech bent—who came from the dev world or try to look at analytics—have a very different view of risk frameworks. Their attitude is, “I can let my compliance guy deal with it.” But how do you bridge that to your risk officer? They struggle. At some point you still have to go to your board and CFO and quantify the risk in dollars and cents. 

The CISO is the tech bridge to the board. Don't expect them to be PhDs or cyber ninjas. We grew up dealing with the tech of 9/11 and all that, so we are bred in a very different way to look at a problem statement. A lot of CISOs that come from a policy, governance and tech background look at it holistically, but we look at controls, a stack, analytics and everything else for us is irrelevant. If I can see the data and quantify it, a framework doesn't mean anything. Data tells you the story. It's no longer a perception. And we don't always look at it in monetary terms. The business impact in most of our cases is missing, so what I'm seeing is a true divide.

Content you might like

Yes, AI has significantly reduced costs and improved customer experiences.4%

Somewhat, there have been some cost reductions and customer benefits, but there's room for improvement.81%

No, AI implementation has not yielded noticeable cost savings or substantial customer enhancements.11%

Not sure / I don't have enough information to assess AI's impact.4%



Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.28%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.56%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.11%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


8.9k views9 Upvotes1 Comment

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
46.4k views133 Upvotes323 Comments

Community User in Software, 11 - 50 employees

organized a virtual escape room via https://www.puzzlebreak.us/ - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
13.3k views27 Upvotes67 Comments