• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Who takes cyber risk?

By Norman D. Marks, CPA, CRMA | 3 Minutes Read December 17, 2018

Who takes cyber risk?

cyber riskThink of a military mission.
Who is taking the risk of its failure?
Is it the General back at HQ? The overall responsibility, he (or she) would say, lies with him as commander. He is accountable to his men and his superiors for the success of the mission.
Is it the colonel in Intelligence providing information about enemy forces? If the information he (or she) provides is lacking and leads to the loss of troops or the failure to secure the target, he will carry a lot of the blame.
Is it the captain leading his (or her) troops into enemy territory? He will bear personal risk as well responsibility for the men and women under his command.
Is it the troops who are following orders? They also are taking risk, especially if they have a chance to express concerns.
Surely, it is all of them.
The people taking the greatest risk are those who are putting their lives at risk.
Who, then, is taking cyber risk?
Is it the board and top management, who are deciding how much scarce resource to invest in breach prevention, detection, and response?
Is it the CRO who provides information to leadership on risk, including cyber risk?
Is it the CISO and his team, who actually defend the enterprise?
Or is it the business leaders whose initiatives are damaged or worse should there be a security incident?
Surely, it is all of them.
The people taking the greatest risk are the owners of the initiatives and enterprise objectives.
Let’s have a look at a new piece from McKinsey on this topic. It raises some interesting points but, in my opinion, misses some critical ones.
What I found especially challenging is the authors’ assertion that many companies have left cybersecurity to the sole purview of the CISO, with little involvement from the risk officer.
That can’t be the right approach!
The CISO is not the one taking cyber risk!
I agree with McKinsey that there has to be a partnership between operating management, the CISO, the CRO, and the CIO.
It takes all of these affected and accountable individuals and teams to:

  • Understand the level of risk cyber represents to the organization and its objectives
  • Determine whether that level of risk is acceptable
  • Agree on the appropriate corrective actions, if any
  • Know how to include cyber risk in decision-making, not only by the technical staff but by operating and top management
  • Allocate the right level of resources to address cyber risk given the competing needs of the business and other initiatives

Sometimes, it is right to take the cyber risk! Better returns may be obtained from alternative uses of scarce resources.
It’s unfortunate that many if not most organizations don’t know how to assess cyber risk in a way that enables it to be compared to other business risks. (I’m working on a book on this topic.)
I think that concept of being willing to take cyber risk is a missing element of the McKinsey discussion. Board members and top executives are familiar with the idea, but lack the tools.
The CRO should work with the CISO to enable leaders to have the information they need to make informed and intelligent decisions.
The CRO should work with the CISO to provide the intelligence leaders need to make informed and intelligent decisions before they embark on their missions, plans, initiatives, and so on.
Where is the enemy, how strong are they, do they represent a threat to the success of our initiative?
What do you think of the McKinsey piece?
BTW, I thoroughly dislike the interpretation of the Three Lines of Defense where the risk function is described as a second line function ‘overseeing’ the first line CISO team. The CRO is not there to provide oversight; he or she should be there to provide assistance!

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Information Technology, Privacy / cyber risk, cybersecurity, cybersecurity risks

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy