How CISOs and Cyber Pros Can Bridge Risk Assessment with Budget Approval and Risk Ownership
I see that in IT & Cyber that sometimes the Risk Assessment > Budget > Risk Ownership process is not played correctly and usually leaves the cyber professional or CISO with no ability to mitigate the risk they’ve highlighted, but somehow still responsible and used as a scapegoat when things happen.
So, what should this process look like?
Steps 1-2 in our diagram here involve the normal next steps after risk assessment which is asking:
- Do you have the resources you need to deal with the risks?
- Do you need more budget or solutions than what you already have?
Then we move onto steps 3 and 4 which are currently missing for a lot of CISOs and cyber professionals and links exactly with risk ownership and budget approvals.
Step 3 – this is the quantification stage.
If you need more resources, you need to let decision-makers exactly what is needed. Plus, you need to tell them of the financial exposure (risk) they are mitigating or allowing to happen.
If you can’t quantify the financial risk, they aren’t going to be able to quickly and accurately make a decision. This is why using probability methodologies are too complex and inaccurate, for decision-makers to actually base a decision on. It leads to over/under spending a lot of the time.
I talk more about probability being problematic here: https://www.boardish.io/cyber-probability-is-a-huge-landmine-in-cyber-security-risk-quantification-how-to-overcome-it/
Let’s move onto step 4 which is the key focus of this process and one that isn’t very clear for CISOs and cyber professionals when it comes to budget communication.
When you present your budget to Management ( decision-makers/Board ), you initially have 2 outcomes:
Option 1 – Budget Approved
Option 2 – Budget Not Approved
* Note option 2 is not really the worst-case option, the worst is yet to come 🙂
So, how do we handle the remaining risk/exposure? Most budgets and cyber plans will not provide 100% mitigation for 100% of your threats, not in real life. So it’s probably around 70-80% of each, leaving 20-30% left.
So either way, you will still have some exposure as a company, whether the budget was approved or not, but the amount left depends on the decision-makers. And this is actually the most tricky part in my experience – getting risk ownership for the remaining risk and exposure.
So let’s put this into our diagram scenarios:
Option 1:
- A – Budget Approved AND Management takes ownership of the remaining risk – This is no doubt the best scenario
- B – Budget Approved BUT Management DOES NOT take ownership of the remaining risk. IT looks like a good option but actually is very RISKY – Cyber Threats don’t need 100% to “hurt the company”, they need 1%.
Most importantly here, cyber professionals should not own cyber risk. It should be owned by the business, as with everything else. In this case, I would always recommend asking for another management or board meeting to make sure they understand that THEY own the risk. This requires high level of communication skills, and clear quantification.
Option 2:
- A – Budget not Approved BUT Management takes ownership of the remaining Risk – This is the “2nd best option”! No, you didn’t get the budget, but management is aware of the risk, and they own it. From here you’ll need to do another risk assessment exercise, work with what you’ve got and start over at the next budget meeting where hopefully more resources will be approved.
- B – Budget not Approved AND Management DOES NOT take ownership of the remaining risk – This is the Worst Case Scenario.
If you as a Cyber professional or CISO are put in this position, you must flag this situation as “non-workable” and do another management/board meeting to explain that “this scenario” is not acceptable. If you accept this scenario – you are setting yourself to be the scapegoat the second that something happens or the risk is realised.
(This is what is happening a lot right now in the industry and I believe a contributing factor to why CISO turnover is so high)
To try out the Boardish methodology for yourself, quantify risk into financial figures, and speak more clearly with management to make budget approval much more likely – try us out for free at https://www.boardish.io
Useful links:
- Our Framework for Budget approvals: https://www.boardish.io/the-boardish-methodology-budget-approval-framework/
- The full Risk to Budget approval infographic for download: (feel free to use this graphic in full on social media or your website with credit to Boardish. Please don’t cut or paste without the Boardish logo present.)
Eli Migdal – Co-Founder of Boardish