Why and How Should You Look at Risks

A CISO/DPO Perspective
By Krisz Kenderesi

Recently I’ve had many discussions with other security and data protection professionals about how organisations look at information/cyber security and data protection. I’ve heard mixed opinions – some of my peers are very optimistic and they see improvement in culture, more budget and full senior-level support. However, mostly what I hear is that security is still underfunded, not well-supported and that most organisations look at the CISO or DPO roles as just a tick in a box providing someone a scapegoat who can be blamed if something goes wrong.

This reminds me of the early days of IT when CIOs and CTOs were in the same situation because organisations refused to admit that we’re “digital” despite everyone using computers and that most of the business processes were supported by information technology. Today, CIOs and CTOs are often Board members – this change was inevitable. I think the same will happen with the CISO role at some point too but organisations don’t have 10-15 years to change because security threats are real and it can’t be said of security anymore “that is not a risk for us!”

In my opinion, one of the reasons for this lack of maturity could come from the way organisations and their leaders look at risk in general – if they are looking at risk at all! So here is some advice that may help you as a CISO, a security professional or even as a DPO:

Don’t try to own all risks
Information/cyber security and data protection is risk-based and flows throughout the whole organisation. The Board of Directors and senior management must understand that risk is defined as the effect of uncertainty on (business) objectives (ISO31000:2018) and that information/cyber security and data protection risks are enterprise risks too, which they own.

As a CISO and DPO, this is what I see as the most important to start with because senior management makes decisions on business objectives, priorities, budget, culture – basically on everything that has an impact on your security/compliance program.

The ownership of the risks can be delegated in the organisation, but this is only effective if the owner is someone who has the authority to make decisions about those risks. Instead of taking all the “security pain” of the organisation on yourself, share it with the other managers and help them to understand their responsibilities and be able to make an informed decision about risk.

Understand the business objectives
Your security program should focus first on the business objectives and the risks threatening these objectives. I am sure in the beginning you will find many security weaknesses and non-compliance everywhere, but you have to accept that the world is not perfect and it takes time to improve things.

Recently, I heard a brilliant quote from a friend of mine: “If a business makes coffee then they probably they won’t care about anything else until they can make great coffee”. That is why you have to focus first on the high-risk issues, those that potentially “stops them making coffee” and advise the senior management to start working on those first. This way, everyone wins. Management will see this as a necessary change to protect the business, the organisation won’t be overwhelmed and you will see improvement, and hopefully, get the support you need. Be careful not to use the risks as blockers because people will ignore you and get around you. Always focus on win-win.

I am sure you will still be worried about the other risks but you have to remember, these risks are not your risks! Your job is only to ensure there is a robust framework to help identify risk, advise on the priorities as best you can, and let the management get on with the decision-making.

Speak their language
You can avoid unnecessary delays and frustration if you understand what keeps the Board of Directors interested or awake at night. I have worked with Directors who were not interested in details just in resolutions. Others, those with a technology background are more interested in the details and want to understand everything. You have to present and talk to these viewpoints differently if you want your message to be effective and get their support. Avoid using technical language and speak their language. If it is a “coffee” business speak about the risks that might stop them from making coffee in plain English.

This is more difficult than it sounds, and sometimes we have to accept that the listening party may not ready for what you say regardless of how you say it. This is an important point because you may need to challenge, rephrase, pre-present, even argue your case or simply try again from a different angle.

In summary, my advice to CISOs, security leaders and even to DPOs is:

1. Be the trusted advisor for the business on cybersecurity risks and matters.
2. Assist the Executive leadership team in achieving its strategic objectives by helping them factor in cyber and privacy risk.
3. Advise on the criticality and prioritisation of cybersecurity-related issues.
4. Help the organisation to protect its information assets.

This is by no means a full list and isn’t a one size fits all solution for every CISO or organisation as it is based on my experience. But this approach helps me to fix issues that first seemed “mission impossible” and helps me to manage the constant pressure because I share it with the organisation rather than try to own it all myself. As mentioned, information/cyber security is in its early days yet but there are many positive signs that indicate that it is going in the right direction and I am enjoying being part of the journey and as we all do, influence its direction.