By Rick McElroy, Security Strategist, Carbon Black.
I don’t believe there is a CEO on the planet that doesn’t have security high on their agenda at the start of 2018. The combination of escalating cyberattacks and new privacy legislation means that CEOs are being held accountable for the resilience of their organisation and the safety of their customer’s data like never before. This is undoubtedly a good thing: as CEO you set the culture of an organisation through your leadership and the priorities that you communicate to management teams. While we don’t expect CEOs to be on the front line of network monitoring and response, we do need them to be setting the culture and expectations under which those who are on the front line operate. These are the questions that CEOs should be asking their teams that will create an environment of proactive and positive risk management. Regularly asking and answering these will lead to a more resilient company that can manage risk for competitive advantage.
The number one question is: How are we managing risk? What’s the structure of the team?
Asking this question should allow you to understand the overall structure and maturity of risk management in your organisation. Your team should be able to briefly and succinctly identify the following when asked:
Who is actually responsible for managing and accepting risk in the organisation?
Do you have someone responsible for Risk Management? Is there someone responsible for Information Security? Is someone responsible for compliance? Is this decentralised or centralised? How many staff members are dedicated to managing risk?
Your team should be able to confidently describe how the overall programme is managed and organised. They should know the chain of command and escalation thresholds and have strong communication channels.
Ensuring the security and compliance of business partners and suppliers is an increasingly critical aspect of due diligence for customers, so bonus points for organisations who have their risk management structure documented and ready to give to external auditors or customers who may ask. This should exist and be ready to go at any moment – it should not require a long data gathering exercise.
Question two: What is our risk tolerance?
CEOs and boards should drive the acceptable level of risk tolerance for an organisation. Of course, in an ideal world, we would have zero tolerance for risk, but last time I checked this world was far from ideal, so in reality:
“Risk tolerance is defined as the level of risk or degree of uncertainty that is acceptable to organisations and is a key element of the organisational risk frame. An organisation’s risk tolerance level is the amount of corporate data and systems that can be risked to an acceptable level. Having a defined risk tolerance level means the security programme knows the degree that management requires the organisation to be protected against the threats they face.”
Giving tolerance guidance to your team will ensure they align to your strategic plan and allow them intelligently to drive risk to an appropriate level.
Question three: When is risk being considered?
Is it baked into the upstream decision-making process or is it considered throughout the life cycle of the business? Your team should help you understand where risk decisions are being made in the business cycle and whether or not the defences are commensurate with the risk. This will also speak to the maturity of your risk management programme: as your programme matures managing risk will become an inherent element of strategic and operational business planning, rather than a bolt-on.
Question four: Where is the current list of risks and what is on it?
Risks come in all shapes and forms. Some risks are really business opportunities waiting to be realised. The organisation that can manage risk well will not only do a better job protecting itself from cyber threats (and indeed threats of all kinds) but will also give itself a long term competitive advantage. As the saying goes: “no one ever succeeded in business without taking risks.” Just because it’s a risk does not make it inherently a bad thing.
For most organisations risks will fall into one or more of the following categories: Compliance/Regulatory Risks; Security Risks; Financial Risks; Privacy Risks; Industry and Competitive Risks and Management Risks.
Knowing where to get information about the level, severity and exposure to all these types of risk when needed is crucial to making risk-based decisions. Organisations with a mature risk management posture are now utilising online dashboards updated in real time based on downstream risk data to inform their decision-making and keep them ahead of the curve.
Question five: How are risks being managed and communicated? What’s the cadence of meetings?
This final piece is about culture and will allow you, as the CEO, to understand whether your organisation embraces open and transparent risk discussions or whether there are still unknown risks which are not being identified, communicated or managed appropriately. This will also ensure risk discussions are positive and ongoing and that they occur at the appropriate time frames for your organisation.
As CEO, regularly asking these questions of your management teams will ensure that you set a culture of proactive, transparent and competitive risk management within your organisation. In today’s threat-intensive, privacy-oriented landscape it’s a core responsibility for all CEOs that, done well, will foster business resilience and a competitive edge.