5 risk management mistakes CISOs still make

Cybersecurity is now a board-level issue, but many organizations still struggle to get security risk management right.

Corporate leaders now rank cybersecurity as a top-level priority, seeing it as a strategic risk that must be managed.

Yet surveys of executives and board members suggest that they’re still falling short on that task.

The 2019 Global Cyber Risk Perception Survey from Marsh and Microsoft found that 79% of respondents put cyber risk as a top five concern for their organization, with 22% saying it is their top concern. Yet only 11% report a high degree of confidence in their organization’s cyber resiliency.

Meanwhile, 66% of respondents in the 2019-2020 Public Company Governance Survey from the National Association of Corporate Directors said their companies addressed cyber risk at least once on their board agendas in the prior year. Despite that board-level attention, however, 61% of respondents said their organizations would prioritize business operations and initiatives over cybersecurity.

Security leaders say they’re not surprised by such findings, as security risk management is still maturing and many executives struggle with effectively managing security risk. Given that, they say they see many organizations make mistakes in this area. Here are five common mistakes they see enterprise officials make:

A lack of security and business alignment

A lack of alignment between security operations and business strategy remains one of the most common mistakes in risk management, according to multiple CISOs and executive consultants.

“Most [CISOs] don’t measure what the business actually cares about. They’re measuring technical exposures and not the impacts to the business. They still get too caught up in the tools and counting vulnerabilities, but those aren’t measures of the business cyber risk. CISOs need to attach risk to the things that the business cares about,” says Ryan LaSalle, managing director and North American lead for Accenture Security.

LaSalle says security and business also fail to align their definitions of risk and establish what they consider as acceptable risk levels — further exacerbating the disconnect between security and business and making effective risk management harder (if not impossible).

“In many cases the business and security look at risk and its impact differently,” he explains, noting that security sometimes fails to distinguish for the business the difference between inherent risk and the residual risk left after controls and mitigation have been put in place.

Ryan says he advises CISOs to articulate risks associated with specific business objectives, how they’re going to lower the risk, to what degree they can lower it and at what cost, so that both business and security have the same understanding of the risk that the organization is taking on. “In other words, CISOs have to explain why that risk matters to the business,” he adds.

Limited visibility

Many executives are managing risk for parts — but not all — of their organization because they don’t have full visibility into their enterprise.

“There’s a common misconception that an organization has the complete picture of what the landscape is,” says Tony Buffomante, the global co-leader for cybersecurity services at KPMG. However, he has found that many CISOs don’t have a full IT asset inventory or a complete list of all the third-party suppliers and cloud applications used by employees and business units. “As a result, a lot of companies execute risk assessment programs on an inventory that’s not robust or that is not accurate,” he says

Others agree that CISOs often don’t have a full view of their enterprise environment. Reasons for that vary. Sometimes acquired companies aren’t fully integrated into the parent company. Sometimes divisions run their own technology operations and put up walls around those siloes. Regardless of the reason, such scenarios leave CISOs without the ability to fully assess the risk facing the organization as a whole.

At the same time, many security operations have limited visibility into their own efforts because they’re not using metrics that can help them quantify risk and how it’s changing over time, says Mike Sprunger, senior manager of the security consulting practice at Insight. He says small to midsize organizations often don’t track risk metrics because they lack the money and expertise to implement such practices, while large companies sometimes don’t do it because they’re overwhelmed by the complexity of such an undertaking.

Advisers acknowledge that gaining full visibility into both the technology environment and the security operations takes legwork. CISOs must break down longstanding siloes of IT activity by leaning on their executive skills, and they have to prioritize oversight requirements to create a metrics program that can provide quantitative insights.

“A security practitioner should want to quantify risks in hard terms, in ways that are measurable and repeatable and meaningful, because risk is all about what could happen and what will likely happen. Too many [CISOs] look at all the things that are possible, but that won’t get you anywhere. You have to look at what’s likely to happen in your organization in order to best manage risk,” Sprunger adds.

Putting frameworks first

The challenges and complexity of the enterprise cybersecurity function have given rise to a number of frameworks, yet Christopher Kennedy, CISO and vice president of customer success at AttackIQ, sees a risk in focusing too much on using regulatory and compliance frameworks to manage risk.

He says some security leaders mistakenly overemphasize meeting the framework requirements — checking the boxes, so to speak — and see compliance with frameworks as the end goal, rather than focusing resources on understanding the unique needs of their own organization, aligning security initiatives to business strategy and closing gaps in their security program.

“The amount of work required to manage checking the boxes detracts resources from the problems that the CISO started with,” Kennedy says. “So if I as CISO have a large portion of my staff working on these frameworks, I’m not building a deep and integral relationship with my business. That means I could then be seen as an inhibitor to the business because I’m focused on these framework requirements instead of the business needs.”

Kennedy doesn’t dismiss the value of frameworks altogether; however; he says organizations need to connect a framework’s requirements to a strategy that’s informed by the specific and most likely threats that they and their industries are facing as well as the risk tolerance they’ve established.

Giving equal weight to every threat

Given the growing list of threats, attack vectors and vulnerabilities facing any and all organizations, CISOs may be tempted to address them all. However, CISOs and advisers alike say that such a broad approach is a mistake. Instead, they need to be more focused.

“A lot of people don’t start with a strong view of where they’re vulnerable and who they’re vulnerable against; they’re trying to boil the ocean,” says Philip Martin, CISO of Coinbase.

Martin says a too-broad approach dilutes efforts and jacks up expenses, without a commensurate rise in their security posture and risk management capabilities.

To best manage risk, he and other security leaders say organizations should be more targeted.

“We need to think about likelihood and impact. Too often we look at the newest, shiniest attack. But when you take a look at your risk, who is coming after you and what they are using then you can build a targeted mitigation program and focus on the attacks that are most likely to get you into trouble. We all have limited teams, limited budget and limited staff. We have to focus on what is most likely to get us and our companies into trouble,” Martin says.

For example, he says a Midwest-based manufacturing plant making auto parts needs to prioritize protecting its intellectual property and its infrastructure against foreign-based advisories targeting American companies but can push attacks formulated to steal cash (like those commonly launched against financial institutions) further down the priority list.

Failing to consider time elements

Although security or compliance audits can give the C-suite an indication of how well a security program is doing, experts warn that they indicate performance at the time of audit; they don’t guarantee success moving forward — particularly given how rapidly new threats can evolve and how quickly security policies and risk assessments must change to address them.

“We see a lot of organizations execute an audit process, but they’re not leveraging real-time threat intelligence information to help them clarify what risks are relevant to their organization at that moment,” Buffomante says. “They need to have a more continuous evaluation on where their high-priority areas are.”

Buffomante says organizations are increasingly addressing that need by implementing automation, machine learning and artificial intelligence to generate more real-time security assessments. Organizations then need to create processes that enable them to more quickly use those real-time assessments to adjust and manage risk.

However, security leaders say that organizations must also recognize that sometimes initiatives to address newly identified risks take time.

“The speed of analysis currently outstrips the speed to make decisions and take action,” LaSalle says. Security teams must build that into their planning and progress reports. If they ask their IT counterparts and the business units to address a new threat as a way to bring risk to an acceptable level, then security should be realistic about how long it will take to get the work done.

“You don’t want the security team to discourage the business from doing the right thing because you browbeat them on getting things done. There has to be a better cadence for the time it takes to solve the problem incorporated into reports,” LaSalle says. “You need to either provide more immediate incremental action rather than doing the big change or make sure your guidance can fit what the business can do.”