Think of a military mission.
Who is taking the risk of its failure?
Is it the General back at HQ? The overall responsibility, he (or she) would say, lies with him as commander. He is accountable to his men and his superiors for the success of the mission.
Is it the colonel in Intelligence providing information about enemy forces? If the information he (or she) provides is lacking and leads to the loss of troops or the failure to secure the target, he will carry a lot of the blame.
Is it the captain leading his (or her) troops into enemy territory? He will bear personal risk as well responsibility for the men and women under his command.
Is it the troops who are following orders? They also are taking risk, especially if they have a chance to express concerns.
Surely, it is all of them.
The people taking the greatest risk are those who are putting their lives at risk.
Who, then, is taking cyber risk?
Is it the board and top management, who are deciding how much scarce resource to invest in breach prevention, detection, and response?
Is it the CRO who provides information to leadership on risk, including cyber risk?
Is it the CISO and his team, who actually defend the enterprise?
Or is it the business leaders whose initiatives are damaged or worse should there be a security incident?
Surely, it is all of them.
The people taking the greatest risk are the owners of the initiatives and enterprise objectives.
Let’s have a look at a new piece from McKinsey on this topic. It raises some interesting points but, in my opinion, misses some critical ones.
What I found especially challenging is the authors’ assertion that many companies have left cybersecurity to the sole purview of the CISO, with little involvement from the risk officer.
That can’t be the right approach!
The CISO is not the one taking cyber risk!
I agree with McKinsey that there has to be a partnership between operating management, the CISO, the CRO, and the CIO.
It takes all of these affected and accountable individuals and teams to:
- Understand the level of risk cyber represents to the organization and its objectives
- Determine whether that level of risk is acceptable
- Agree on the appropriate corrective actions, if any
- Know how to include cyber risk in decision-making, not only by the technical staff but by operating and top management
- Allocate the right level of resources to address cyber risk given the competing needs of the business and other initiatives
Sometimes, it is right to take the cyber risk! Better returns may be obtained from alternative uses of scarce resources.
It’s unfortunate that many if not most organizations don’t know how to assess cyber risk in a way that enables it to be compared to other business risks. (I’m working on a book on this topic.)
I think that concept of being willing to take cyber risk is a missing element of the McKinsey discussion. Board members and top executives are familiar with the idea, but lack the tools.
The CRO should work with the CISO to enable leaders to have the information they need to make informed and intelligent decisions.
The CRO should work with the CISO to provide the intelligence leaders need to make informed and intelligent decisions before they embark on their missions, plans, initiatives, and so on.
Where is the enemy, how strong are they, do they represent a threat to the success of our initiative?
What do you think of the McKinsey piece?
BTW, I thoroughly dislike the interpretation of the Three Lines of Defense where the risk function is described as a second line function ‘overseeing’ the first line CISO team. The CRO is not there to provide oversight; he or she should be there to provide assistance!