This is the final installment in our four-part series on the evolution of information security leaders. Be sure to read Part 1, Part 2 and Part 3 for the full story.

In the movie “Indiana Jones and the Last Crusade,” Indiana Jones and his father, Professor Henry Jones, must overcome three cryptic challenges to finally come face-to-face with the Holy Grail. The keys to meeting these challenges involve a disparate set of skills: humility, intelligence, commitment and, ultimately, the ability to make a well-informed, risk-based decision.

Three Challenges for CISOs

The challenges for CISOs in today’s business climate likewise require a disparate set of skills. For those aspiring to attain — or remain in — the holy grail of an information security leadership position, they and their teams must make some important changes in three specific dimensions:

  1. CISOs and their teams must embody two distinct roles: subject matter experts in the technical aspects of cybersecurity and trusted advisers in making recommendations about security-related risks.
  2. CISOs and their teams need to become confident in addressing four fundamental questions about security-related risks to help guide executive-level discussions toward making better-informed business decisions about managing risks to an acceptable level, as opposed to providing the executives with updates of tactical metrics having to do with security’s activities, work progress and operational costs.
  3. CISOs and their teams need to learn how to overcome three persistent challenges in identifying, assessing and communicating effectively about security-related risks.

Once they achieve these objectives, CISOs and their teams, like Indiana Jones and his father, can hope to hear from the guardian of the grail: “you have chosen … wisely.”

A Language Challenge

A surprising percentage of information security professionals lack an accurate understanding of risk, in spite of the fact that risk is the very reason for the existence of the business function called information security.

Here are five specific aspects of risk that warrant taking an honest reality check:

  1. Definition of risk;
  2. Language of risk;
  3. Responses to risk;
  4. Types of risk; and
  5. Ownership of risk.

One of the critical capabilities for successful, new-school CISOs is a clear distinction between the governance of the business function called information security and the management of security-related people, processes and technologies. In general, new-school leaders are increasing their focus on security governance while simultaneously getting out of the hands-on, operational aspects of security management.

Even so, it’s vital to establish an common understanding that CISOs and their teams do not hold the “Old Maid” card for security-related risks. There is, in fact, an owner for these risks — but it’s not the CISO. As subject matter expert and trusted advisor, the security leader informs and recommends. But the executive decision-maker, who owns the risk, has to decide.

A Measurement Challenge

One of the biggest challenges for CISOs is that security professionals traditionally think of cybersecurity as intangible, which is yet another reason why engaging in executive-level discussions about the question “How secure are we?” makes very little sense. If something is intangible, our instincts tell us it can’t be measured. Not surprisingly, many people with predominantly technical and engineering-oriented backgrounds experience an inherent discomfort in not being able to quantify security-related risks with precision.

Fortunately, quantifying security-related risks with precision is not the goal. Our goal is to help the risk owners make better-informed business decisions in spite of the inherent uncertainties. If something really matters to the business, we should be able to observe something tangible about it. And if we can observe something tangible about it, we’ve found at least one way to measure it. For example:

  • If investing in security awareness training for the organization’s users really matters, we should be able to observe something tangible as a result, such as a reduction in the click rates on phishing attacks.
  • If clicks on phishing attacks really matters, we should be able to observe something tangible as a result, such as the number of systems that get infected and the time it takes to remediate them, or the amount of data that gets exposed to an unauthorized party.

Security-related risks can and should be quantified, even in light of the inherent uncertainties of measuring likelihood and business impact. For those interested in improving their ability to quantify security-related risks, there are a number of excellent books, standards-based taxonomies and continuing education courses available as potential resources. In addition, there are a growing number of freely available examples of quantifying security-related risks to use as a reference.

The good news is that these more quantitative approaches are not as difficult as you might think — and they get easier with exposure and practice.

A Communications Challenge

Ironically, CISOs and their teams often use emotional and qualitative approaches to communicate risks with business decision-makers. Here are some extremely common examples.

The Latest Headlines

News stories help to convey that a given risk is not merely hypothetical — it really happened to someone, and therefore it could also happen to us. Unfortunately, the wisdom captured in the expression “never let a good incident go to waste” is counterbalanced by the tendency to become desensitized from a never-ending stream of security breach disclosures. Moreover, headlines generally don’t say very much about risk.

Averages Based on Surveys

Averages are easy to communicate, but they provide very little insight and say almost nothing about risk. For example, if survey respondents from several hundred organizations estimate the total cost of a data breach, the average cost per record says nothing about the likelihood of a data breach. We can’t even say that 50 percent of the time the cost would be higher, and 50 percent of the time it would be lower — that would be the median, not the mean or average. In terms of business impact, averages can actually be highly misleading.

Consider the fact that per-record costs of $50, $50, $350 and $350 averages to $200 per record, as do per-record costs of $150, $175, $225 and $250. Not only does $200 per record convey a false sense of precision, but the two distributions of the estimated business impact provide very different insights about the risk of a data breach.

Expert Opinions

The opinions of experts — where experts could include sitting CISOs, industry luminaries, analysts, authors and academics — are just that: opinions. The truth is, the vast majority of business decisions about security risk are based almost exclusively on the intuition and gut instinct of the decision-maker, who tends to be the highest paid person in the organization (HiPPO).

This is the dial we’re trying to move! Any analysis and communication about security-related risks that results in a decision based on gut instinct is at best not very useful, compared to the status quo. It can actually make matters worse by inspiring the HiPPO to make a bad decision even faster, and with greater confidence.

Qualitative and Semi-Quantitative Risk Assessments

Qualitative and semi-quantitative risk assessments have become extremely popular. They’re manifested in five-by-five heat maps that are typically visualized in vibrant green, yellow and red. Security leaders say they like them because the business decision-makers seem to get it and they often lead to better conversations about risk.

While it’s true that effective communication is not a one-size-fits-all situation, one of the biggest challenges for CISOs is how to communicate in a way that really moves the dial with respect to influencing better-informed decisions about risk. Close behind is the challenge of how to communicate the business value that security provides as opposed to merely communicating some indicators of what services are being provided and what they cost.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read