Don’t Make Dangerous Decisions
Managing cyber risks is all about having the right people in key roles and good cross-organizational communication; establishing and maintaining an enterprise security program that is aligned with best practices and standards and the organization’s business operations; and staying abreast of the threat environment and reviewing and adjusting controls to counter new forms of attack.
Achieving this requires leaders within an organization to engage in good cyber decision making. And that starts with successfully navigating three dangerous decision points that can significantly improve the effectiveness of an organization’s cyber-security leadership.
Dangerous Decision No. 1: CISO Reports to CIO
The reporting structure for cyber security determines how cyber risks will be managed in an organization. The trend of having chief information security officers (CISOs) report to chief information officers (CIOs) may finally be changing. The Global State of Information Security Survey 2018 (GSISS), which was produced by CIO and CSO magazines and PwC, found that 40% of information security executives report to the CEO, 27% report to the board of directors, and 24% report to a CIO. The respondents were primarily large companies, however, with an average of about 20,000 employees and $4 billion in revenues.
Other surveys came to different conclusions. The 2019 State of the CIO survey conducted by CIO.com, found that 23% of CISOs report to the CEO, while about 45% report to the CIO. On top of that, 44% of the respondents said they do not have anyone in a leadership role for cyber security. Smaller companies are less likely to have a CISO or security executive; the survey found that only 40% of companies with revenues under $100 million had a security executive, whereas 74% of companies with revenues of $5 billion or more have one.
The belief that CISOs are not important enough to be listed among other executives may be one reason why CISOs get stuck underneath the CIO. When CISOs report to CIOs, there is a lack of segregation of duties. For example:
- The CIO may interfere in procurements, requiring the selection of one vendor over another without fully realizing the security implications.
- The CIO controls the security budget, and the CISO might not get the funding needed to establish and maintain an enterprise security program that aligns with best practices and standards.
- The CIO may demand the network be designed or configured in a way that makes the environment less secure.
- The CIO may veto certain security controls, putting the organization’s systems and data at risk.
- The CIO may make all security presentations to the board without fully understanding all of the security issues or eliminating critical ones.
Additionally, contrary to popular belief in C-suites, CIOs generally are not cyber-security whizzes. The same goes for chief security officers (CSOs), who are usually in charge of facility and personnel security. Of course, the same can be said for CFOs, COOs, CEOs, chief legal officers, chief technology officers (CTOs) or others that the CISO may be reporting to. The major difference is that these other positions do not have most of the segregation of duties issues noted above with the CIO.
Dangerous Decision No. 2: CISO Reports to Someone Who Makes Bad Cyber-Security Decisions
OK, so if the CISO does not report to the CIO, then whom should that person report to? The usual alternatives are the CFO, legal counsel, CTO, COO, CEO or board. Regardless, to avoid having the CISO report to someone who will make bad cyber-security decisions, some basic factors should be considered.
- Does the person have any understanding of technology and cyber-security risks?
- Is the person generally negative toward cyber-security spending, arguing to keep legacy applications operational?
- Does the person have a good enterprise view of the organization’s business unit functions and their operational and security requirements?
- Does the person react calmly and decisively during urgent events or crises?
Dangerous Decision No. 3: The CISO, Risk Manager and Legal Counsel Do Not Collaboratively Manage Cyber Risks
At the operational level, there are three key players who need to coordinate and collaborate in managing cyber risk: CISOs, risk managers and legal counsel. In many organizations, these three functions are independent and have different lines of reporting. As cyber incidents have become more serious and privacy and cyber-security compliance requirements have multiplied, legal teams and CISOs have begun interacting and coordinating.
As cyber incidents became insurance events, risk managers struggled to understand what cyber risks their organization faced, what types of coverage was needed, and what coverage limits were appropriate. Prior to this time, most risk managers had little need to consult with their organization’s CISO.
CISOs generally welcome risk managers and legal counsel as partners in managing cyber risks; they do not want to carry the entire risk load on their shoulders. CISOs and risk managers have been known to pool budgets for cyber risk assessments and work together on presentations to senior management and remediation plans. This is a healthy trend that will hopefully continue.
There is some concern that risk managers will get through an initial cyber assessment or evaluation of some sort and determine what cyber coverage to purchase for their organization and then default to just updating the policy year to year rather than continuing to engage with the CISO on cyber risk management. For example, when risk managers leave all details regarding cyber risk assessments up to the CISO and then just ask for the report, they have abdicated an important role in cyber risk management. It is imperative that these three positions collaborate on reviewing the maturity of their cyber-security program, assessing the effectiveness of controls, and developing the company’s cyber risk strategy.
Insurance agents and brokers can help facilitate communications on cyber risk management between the risk manager, CISO and legal team. By encouraging the risk manager to bring these people in on calls and discussions, they are helping the risk manager build important relationships internally. This internal collaboration will help ensure sound risk strategies are developed, controls are implemented to counter cyber threats, privacy and security compliance issues are integrated in the cyber-security program, and insurance coverage adequately meets the risks.