The Information Security Leader, Part 3: Four Fundamental Questions for Risk Analysis

This is Part 3 in our four-part series on the evolution of information security leaders. Be sure to read Part 1 and Part 2 for more information.

To get to the heart of any matter, you need to ask the right questions. Over the last few years, information security professionals are finally coming around to appreciate that “Are we secure?” is not the right question to ask in a risk analysis.

To that, the correct answer is always no. Most everyone generally understands that being 100 percent secure is an unattainable objective. Security always has to be balanced against cost and convenience, and real-world users really do need access to applications, data, systems and networks to carry out their assigned tasks.

“How secure are we?” is not the right question either. Not that this isn’t the question that C-level decision-makers and boards of directors actually ask of their information security leaders — it absolutely is what they commonly tend to ask, verbatim. But what kind of answer could be helpful for making more informed business decisions about security-related risks?

Confusing Activities With Results

Unfortunately, the biggest problem with the question “How secure are we?” is that it tends to lead immediately to discussions about activities, work progress and budgets. This is information about what we do and what it costs, not information about delivering business value.

Make no mistake, organizations that have certain foundational capabilities in place are undoubtedly in a much stronger position to respond effectively to specific security threats, vulnerabilities and exploits as they come and go over time. For example, these capabilities may include:

  • Understanding what systems and applications are in their environment;
  • Keeping their systems, applications and networks securely configured, patched and up to date; and
  • Maintaining visibility into what’s happening in their environment and being in a position to respond quickly when something goes wrong.

But when information security leaders start responding to the question “How secure are we?” with metrics about absolute values, percentages and time, they’re reporting on activities — not on whether they are actually achieving the required results.

Managing Risks to an Acceptable Level

The singular purpose of the CISO and the information security function is to help the organization manage security-related risks to an acceptable level. Logically, it follows that the right questions in a risk analysis are along the lines of “What are our security-related risks?” and “Are we managing our security-related risks to an acceptable level?”

If we have to talk about metrics, the one metric that actually addresses the CISO’s fundamental mission is this: What’s the annualized business impact of security-related incidents, and is that being successfully managed to be within the organization’s appetite for risk? That is to say, does the total annual investment in security-related initiatives plus the total annual business impact of security-related incidents add up to less than the threshold for risk that the organization’s business decision-makers are willing to accept?

Quantifying this threshold for risk will vary from one organization to another, but in any case, this would be the cybersecurity metric that really matters.

Four Fundamental Questions Every CISO Should Be Confident in Addressing (But Most Aren’t)

In practical terms, security leaders need to help their executive-level decision-makers make better informed decisions about risk at a slightly more granular level.

As suggested in the first part of this series, information security leaders and their teams need to interpret and translate the question “How secure are we?” into one of the following four fundamental questions about risk if they want to make a bigger and more valued contribution to their organization:

  1. What is the risk?
  2. What is the annualized risk in the specific context of our organization?
  3. How does an investment quantifiably reduce risk?
  4. How does one investment compare to another, with respect to quantifiably reducing risk?

Conducting a Risk Analysis

Any risk analysis that addresses these four questions needs to be based on the proper definition of risk, where risk is expressed in terms of both the likelihood of occurrence and the business impact if the incident actually does occur. Many security professionals are not confident in their current abilities in these areas, but this kind of analysis isn’t really as hard as it may seem.

Finally, be sure to note that being adept at addressing these four fundamental questions is consistent with the dual roles of the next-generation security leader:

  • The subject-matter expert, who can identify and understand the technical aspects of threats, vulnerabilities, exploits and technologies (question No. 1) and who can recommend context-appropriate options for reducing risk (Nos. 3 and 4); and
  • The trusted advisor, who can quantify and communicate risks properly in terms of likelihood and business impact (Nos. 1 and 2) and who can quantify and compare options for reducing risk to an acceptable level (Nos. 3 and 4).

In the fourth and final blog in this series, we’ll look at three persistent challenges that information security leaders need to learn how to overcome.


Derek Brink

VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

Derek Brink helps individuals to improve their critical thinking, commuication skills and leadership skills by teaching...