Home

Who decides how much security risk to take for a specific system?

Who decides how much security risk to take for a specific system?

Top Comment: I believe this to be a combined effort between the system owner, CIO and Board/CEO. The system owner should always try to secure a. View poll results (1089 responses)

1786 views
1089 responses
3 upvotes
Chief Information Security Officer37%
Chief Information Officer22%
Chief Risk Officer6%
Chief Executive Officer7%
Board11%
System Owner10%
Others (Please specify)7%
Related Tags
Anonymous Author
I believe this to be a combined effort between the system owner, CIO and Board/CEO. The system owner should always try to secure a system the best available tools, however, resources and budget might change the avaibility of this tools
4 upvotes
Anonymous Author
It is like asking how much insurance do you need. It really is a call by the CEO and/or the board. System owner/CIO/ciro can only recommend
4 upvotes
Anonymous Author
Depends on the risk.  As with expenses, anyone beyond the CEO / Board has a level of risk they are willing to take on in their role. Once that level is defined, their job is to deliver the best approach. I personally try to insulate the company from any risk where I can either solve it through negotiation in the contract, or by providing an alternative up front.  If I can’t see the way out clearly, I escalate and recommend.
4 upvotes
Anonymous Author
I like what the others are saying; ultimate risk decisions belong to the Board, informed by the CISO and  application owners.  What's critical to examine are implicit risk decisions made by system owners, network resources, et al. who (innocently enough) choose to open a port, add a service, skip a patch, etc. - effectively making liberal risk decisions for the company without adequate oversight.
4 upvotes
Anonymous Author
I like what the others are saying; ultimate risk decisions belong to the Board, informed by the CISO and application owners. What’s critical to examine are implicit risk decisions made by system owners, network resources, et al. who (innocently enough) choose to open a port, add a service, skip a patch, etc. - effectively making liberal risk decisions for the company without adequate oversight.
4 upvotes
Anonymous Author
The answer is multiple groups across the enterprise, CIO, CRO, CISO, etc... with heavy weigh in from the CRO/CISO offices or representatives. Ultimately, the system owner owns the risk response but the overall risk needs to be signed off and approved by a collective.
4 upvotes
Anonymous Author
Corporate risk aptitude is set by board. CIO sets the guidelines for risk mitigations and CISO will oversee the solution implement to mitigate risk for individual systems.
3 upvotes
Anonymous Author
Its strange how the posts mostly say this is a board / CEO decision but the survey clicks point to CISO or CIO
3 upvotes
Anonymous Author
CISO is responsible for risk assessment and posture of the system. Then there are factors like business priorities that need to be looked into before deciding on a system. So ultimately, it is for the CIO to weigh the risk vs the business need and take a final call.
3 upvotes
Anonymous Author
It depends on the criticality of the system and the risk associated with it getting compromised. Generally, the mature organizations has some assessment matrix that helps quantify the risk and based on the severity it could be a simple decision by the CIO or a compound decision by CIO/CISO/and CEO. The end game is about risk mitigation and protecting company assets.
2 upvotes
Anonymous Author
This is a decision made by the business leadership (CEO, Board) based on feedback and guidance from the CISO.  The cost of security is weighed against the potential cost of an incident and a business decision made.  From what I have seen in recent large scale incidents, the cost of,potential incidents may be perceived as a cost of doing business and built in the pricing of the product or service.  Take the Equifax breach.  Huge in number and impact to consumers but little or no impact to Equifax.  I can site many more examples like Target.  I know this opinion is not popular.
2 upvotes
Anonymous Author
We set ownership of risk as a combo of the CISO and the business owner. The CISO is the one who gets the call if there is an incident. The business owner gets asked the questions of why they prioritized the risk in a certain way and is responsible financially.
2 upvotes
Anonymous Author
All Organizations do not have a Chief Security Officer.  In the absence of CISO, normally it is joint decision between CEO, CIO and probably an External Security Consulting Organization. 
2 upvotes
Anonymous Author
Combination of accountable data owner, system owner, and CIO.
2 upvotes
Anonymous Author
Organizations are beginning to add a Chief Risk Officer to look at how best to manage risks 
1 upvotes
Anonymous Author
I think it depends on what the system is used for and what data it houses. If this is critical data to the organization or SPI data then I believe the CISO will make a recommendation to the CEO who can then either decide or seek advise from the Board.  Securing your systems and data is so critical and one mistake can cost your company business, reputation or put you out of business. 
1 upvotes
Anonymous Author
I would add that the business owner has to be involve in this decision, because the cost of protection (controls) could be very expensive and may outweigh the benefits derived from that protection. In non-governmental organizations, you can't run a system (business) at a loss as a result of the cost of security controls. The risk acceptance or risk tolerance must be considered, and this involve, the CISO (or security folks), CIO, CEO, and the Board, depending on how critical the system is and the impact to the organization.  When taking risk, it must be though out properly and involves the folks with the proper knowledge.
1 upvotes
Anonymous Author
We have a cyber council consisting of business line executives that determine the risk tolerance for cyber and weight in on cyber investments and results.
1 upvotes