Why Risk Ownership Is a Problem For Cyber Executives
Risk is part of any business. Corporate leaders make decisions on acquisitions, investments, strategies, and cybersecurity, among others. However, when it comes to cybersecurity, CISOs and other cyber executives often end up taking ownership of cybersecurity risks and threats that the company chooses not to act on.
How CISOs & Cyber Executives Were Getting Caught Out in the Past
In any corporation, CISOs and cyber executives are responsible for preparing and protecting the company and corporate data from cyber threats. But then they are also responsible for asking for the resources to be able to do this effectively.
If you don’t have the proper tools in place to combat, protect, or swiftly recover from threats, that’s the CISOs risk ownership right?
Except, what happens when a CISO or cyber executive has asked for Board approval for a budget to protect a weakness in the company. And the Board declines.
Who should take responsibility or risk ownership here? The board, or the cyber professional?
And this is where we realised here at Boardish that there was a gap missing in this process.
CISOs risk their jobs when they take on risk ownership
In the past, CISOs and cyber executives have ended up taking on the risk ownership of the entire company because of a lack of communication and understanding at Board level when communicating needs and budgets.
Cyber professionals would present solutions and the ‘probability’ of something happening and then the board would make their decision.
If an expert told you it probably won’t happen, that’s THEIR assessment. So THEY should be responsible.
But it shouldn’t be a case of probable or not. You can’t predict a zero-day ransomware attack. You can’t predict a new method of cyber attack. You can’t predict which employee is going to click on a phishing email on a Friday night.
Which is why basing your risk ownership on probability is a slippery slope.
So, what should happen instead?
So how can CISOs avoid this trap of accepting the risk for the whole company’s cybersecurity? Work and present clear facts, figures, and decisions for the Board to take ownership of, based on the definitive that you know.
Presenting your assessment on the company’s cybersecurity threats and mitigation plans without the related costs will not highlight the severity of the situation, especially if it will cost the business a lot of money. It forces you to take responsibility for these risks.
The only way to avoid the risk ownership trap is to communicate risk in a way that will be understood by decision-makers. This is where quantifying data becomes essential in communicating risk.
So, what are the Cyber Professional’s Risk Management Responsibilities?
It’s the CISO’s and cyber executive’s responsibility to find cybersecurity risks and to propose a plan to mitigate or eliminate them to protect the business. It’s on the CISO to be able to communicate these cybersecurity concerns in a tangible way that can be understood by the decision-makers.
And that’s where Boardish comes in.
At Boardish our unique methodology does not use probability as a metric.
Instead we work on the impact of a threat, and the effectiveness as a solution.
That way cyber professionals can present financial figures to the Board so that they know exactly what kind of FINANCIAL OWNERSHIP they are taking. And it doesn’t end up on the cyber professional’s shoulders.
Boardish allows cyber professionals to put a number on the security threats their business is facing. It helps you with your risk assessment presentation and getting the required budget to address these threats.
With Boardish, you can determine and present how much the business will lose in case of threats and will allow the board to see how much financial risk they are adopting based on each threat they don’t protect against.
For example, if cyber threats could be responsible for $100 million or 65% of annual turnover for the company, paying $5 million for solutions becomes an easy calculation to get approval from the Board.
If they choose not to approve the $5 million cost, THEY take ownership of the $100 million risk. If they are okay with that, that’s their decision, but it doesn’t fall back on the cyber professional in the event something does happen.
Boardish provides you with this kind of tangible data for your cyber threats. By communicating cybersecurity risks this way, CISOs and cyber executives avoid risk ownership because it’s now up to the corporate decision-makers on how they want to manage cybersecurity risk mitigation like they do with every other department.