The often imperfect relationship between risk managers and the Information Security department is a concern – but it also presents an opportunity.
Strong internal relationships are critical to optimising a company’s cyber security. A risk manager’s role is to articulate business risks; so if they don’t have a good relationship with their company’s Information Security department, they have a huge blind spot.
Yet their relationship with the Chief Information Security Officer (CISO) is often not nearly as strong as it might be.
Only 21% of risk managers consider their relationship with their company’s CISO to be “effective”.
According to a live poll of risk managers that we conducted at the Airmic Annual Conference, only 21% of risk managers consider their relationship with their company’s CISO to be “effective”. Most risk managers (in fact, 72%) consider their relationship with their CISO to only be “somewhat effective”.
In many ways, the key characteristics of a risk manager and a CISO’s role are very similar. Both are focused on:
Understanding the underlying business,
Identifying key risks,
Treating and managing those risks.
So why the disconnect?
What's a CISO?
One reason can often be a lack of understanding of what each party values, how they think and their key business objectives. At the Airmic Annual Conference, we also asked risk managers: “What is the key attribute of a CISO?” Their responses were as follows:
Security knowledge – 61%
Executive presence and leadership – 22%
A communicator – 11%
An IT specialist – 6%
These responses perhaps indicate a misconception about what a CISO really is, and what they do. In many cases, the CISO’s role has evolved over the past few years from being a tactical Information Security manager to a strategic business executive. For instance, during my time working as the CISO at EE and Visa, I spent more of my time building relationships with key parts of the business, rather than on the technical side.
In fact, more than half (54%) of CISOs believe that their success depends upon leadership skills, according to data from the 2017 research report from ESG and the information systems security association (ISSA). In sharp contrast to risk managers, 49% of CISOs believe their success depends upon communications skills, according to the same data.
A key challenge for many CISOs is striking the balance between business enablement and security.
Although technical expertise is important, it’s more critical that a CISO can distil technical information and communicate this to other business units, and bring those other business units along in their decision-making. They also need to be able to weigh up various business considerations in order to decide upon the mitigation that is appropriate not just from a purely technical perspective but, more critically, in light of the business’s broader operations.
Having strong relationships across the business is even more critical for a CISO during a crisis (for example, a large-scale cyber breach). During such moments – when informing and supporting the Board, and communicating to customers and the media quickly and accurately will often be a priority – technical expertise alone will absolutely not be enough.
At the Airmic Annual Conference, we also asked risk managers: “What is the key challenge of a CISO?” Their responses were as follows:
Keeping the business secure – 67%
Aligning the business – 23%
Showing value for money – 10%
Keeping the business secure is an obvious challenge, but it’s also a given. Most CISOs therefore wouldn’t cite this as their main challenge.
A challenge that many CISOs will be more mindful of is trying to strike the balance between business enablement and security. Specifically, a CISO is always trying to strike the right balance between: the likelihood of the company being compromised, vs investment in mitigation, vs risk appetite. The more that companies depend upon technology and that technology changes, the more their risks change, and the harder it becomes to strike this right balance between business enablement and security.
Risk managers can help CISOs to strike this balance.
Although the exact relationship between a risk manager and CISO will vary between companies – depending upon risk maturity, corporate structure and philosophies among other factors – there are some common areas where risk managers may be well positioned to provide value to a CISO, and thereby gain their trust and improve collaboration.
A risk manager can work alongside the CISO to articulate cyber risks in business terms that different parts of the company will understand.
For example, a risk manager can add a CISO’s top risks to their broader risk register, thereby potentially giving the CISO’s risks greater profile across the business (for example, to Audit, Finance and sometimes the Board). More generally, a risk manager can be a useful interloper, working alongside the CISO to engage different parts of the business and articulate data/cyber risks, and explain the possible losses, in business terms that different parts of the company will understand – e.g. reputational risk, business interruption and so on.
Risk managers might also be able to add value by explaining the possible benefits of insurance. The insurance protections available for cyber risks are relatively new and evolving. Risk managers may therefore be well-positioned to educate the CISO on what insurance and auxiliary services are available from the market.
As a matter of course, a risk manager needs to consider the potential risk to their organisation arising out of a substantive cyber breach, and the immediate and often serious business interruption that would accompany it. It therefore makes sense for them to work closely with the CISO to ensure that ‘incident response plans’ and ‘disaster recover plans’ are linked together and inform one another.
While large cyber incidents are widely reported in the media, it is often hard to find out explicit and accurate details of the incident itself and the associated cost. The more that risk managers and the CISO can pool the intelligence garnered from their respective networks, however anecdotal, the stronger the company’s security will be. This learning should be internally formalised and learning gained. Cyber criminals communicate and share ideas on a daily basis; unless a risk manager and CISO communicate regularly, their company could be fighting the bad guys with one hand tied behind their back.
For more information, please contact Peter Erceg on:
Tel: +44 (0)20 7933 2608 | Email: Peter.Erceg@uk.lockton.com (opens a new window)