What is your risk number?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/3025152/leadership-management/what-is-your-risk-number.html

A few weeks ago, a new acquaintance made a cynical joke about the CISO
being the person to blame and fire when a cybersecurity breach occurs in a
company. While I privately grinned in dismay about the comment, there is
some truth to the statement. It reminds me of a very critical question
every CISO job candidate must ask during a job interview: “If the company
has a cybersecurity breach, will I be fired?”

As we all know, cybersecurity is everybody’s responsibility, not just the
CISO who is in charge of cybersecurity. For many years, cybersecurity has
been ignored as evidenced with the high number of security breaches, which
leads to the comment that we hear very often from the C-Suite: “Are we
safe?” This loaded question is ridiculous from where we sit, as it will
evoke a loaded answer from any CISO. Trying to determine if a company is
“safe” from cyber-attacks has so many variables and components that nobody
could really quantify that level of protection a company really has without
lots of metrics and Power Point slides.

I saw a recent commercial for a Sleep Number bed on television talking
about “what is your Sleep Number*?” I thought about the sleep number and it
made me think of, “What is your Risk Number?” As a CISO, you should have an
enterprise risk statement that defines what the company’s risk appetite is,
and how granular cybersecurity needs to be. Without it, you are flying
blind and will most likely end up leaving your post out of frustration.

Without having this number, how do you know what is the right amount of
staff, budget, and resources to sustain a cybersecurity program outside of
the typical metrics we use to measure and quantify cybersecurity through
metrics such as resource loading?

As the CISO for your company, you might want a rigid cybersecurity program
with a high amount of formality and standards, yet the C-Suite and Board of
Directors may only care if the cybersecurity program is “good enough” in
order to accommodate the business and rely on a cybersecurity insurance
policy as a backup plan. The Board of Directors may want a risk number of
3.5, but you think the company should be 8.5 as a risk number. This is the
defining line that will dictate how long a CISO will last in a company,
because the risk level has not been defined.

At the end of the day, we are risk managers functioning as CISOs within
companies and many CISOs have mismatched risk levels. When a CIO is most
likely hiring a CISO, the CIO does not know what they are getting and have
to go through a vetting process to hopefully qualify the CISO candidate and
determine if this CISO is a “hard-ass” or a happy-go-lucky CISO candidate.
Knowing the risk number of an individual to the enterprise will help
clarify and properly communicate mutual expectations for a more harmonious
relationship within the C-Suite and reduce the risk of being perceived as
the “anti-business” CISO.

The CISO can guide this process to determine what the enterprise risk
number should be, but you should never determine the number on your own,
because you may be misaligned with the C-Suite. When a collaborative
process is followed in the C-Suite, the risk number will determine how you
will successfully run your department and manage resources.

Sample industries of what a customary “risk number” may look like:

Paper Manufacturing-2.5
Pet Care-3.5
Hospitality/Hotel Services-7.0
Utilities-6.25
Aerospace-8.0
Higher Education-6.0
Payment Processor-8.5
Cloud Service Provider-7.5
Car Manufacturer-6.75
Retail Industry-7.5
US Military-10.0
Financial Institutions (Big Banks)-10.0

We have been discussing the overall enterprise risk number, but risk varies
within an enterprise. For instance, a “sub-risk number” would be a rating
of a 3 for the shipping department, but a 9.0 for the CFOs' finance
department. Every company will have different overall enterprise risk
numbers as well as sub-risk numbers to properly apply the right amount of
cybersecurity controls without suffocating the entire business.

Imagine a heat risk map for your entire company. Some parts of the company
need very strong cybersecurity controls and other parts may only need the
bare minimum of cybersecurity. You typically would never take a
“one-size-fits-all” approach to cybersecurity and apply the same amount of
cybersecurity for the entire enterprise.

Sample “sub-risk number” within a company based on function:

C-Suite Officers-8.5
Contact Center-6.0
IT/Engineering-7.5
Warehouse-2.75
Operations-3.0
Front Desk/Reception Area-2.5

What is your Risk Number? It should be determined by the type of industry
your company is in, size of company, what is at risk, what type of data to
protect, intellectual property, financial systems, what your senior
executive leadership team desires, and what is the overall risk appetite
defined by the senior executive leadership team.

*Sleep Number is a registered Trademark

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.