Blog

Flexing the Human Component of Cybersecurity

In the CISO role, building key relationships across an organization is crucial for effective cybersecurity
Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

Cybersecurity isn’t just a technology risk, it’s an enterprise risk—as such, it’s everyone’s business. But perhaps no one has more pressure to mitigate this risk than the Chief Information Security Officer (CISO).

For National Cyber Security Awareness Month last year, we outlined everyone with whom CISOs should develop relationships to improve an organization’s cybersecurity.  We are building on that post to focus on the Chief Risk Officer (CRO), who is quickly becoming one of the CISO’s most important partners in an organization.

CISOs that Partner with CROs Reduce Organizational Risk

It’s imperative for a CISO to develop a tight partnership with the CRO, as both are managing aspects of the organization’s risk. The first step is for CISOs and CROs to describe risk from their perspectives in a way that is meaningful to the other party. Only then can they effectively talk to each other about their needs and concerns and work in sync.

If a CRO and CISO aren’t communicating effectively, the organization’s risk profile can be unduly raised. Here’s why: Cyber risk contains governance, operational, and technical components, which ultimately translate to financial risk. The impact to the organization, after all, can include business interruption costs, damage to brand, law suits, regulatory fines, and other expenses. CISOs are cyber security experts defending the company’s business against evolving threats, as the organization’s digital footprint expands to grow the business; CROs are experts at managing financial risk, with a deeper understanding of how to transfer that risk off the balance sheet to protect the organization from potential losses while enabling it to grow.

By closely aligning, the CISO and CRO can better help the organization manage its risk because their partnership can help leverage risk management resources more efficiently. For example, the CRO may be attracted to invest in a specific GRC [1]tool as means of managing risk, but the CISO may have a more detailed understanding of the costs involved in set-up and maintenance, how it aligns with the overall security risk management program, and may have a different perspective on the utility of such a tool to the organization. Both of their perspectives are important for making the right risk and reward calculation.

CROs and CISOs also need to work together to draw up a strong cybersecurity insurance policy. It takes both of their perspectives to determine, among other things, what events could trigger a data breach, what triggers and losses can be covered, and what coverage limits would be appropriate for these triggers.

CISOs and CROs Best Reach the Board and Executive Leadership Together

Perhaps the biggest benefit of CISO and CRO partnership, though, is the education of senior leaders on the total risk of the organization.

When CISOs and CROs work together, they can construct a holistic, realistic picture of company risk so that the board and executive leadership can better understand the focus of the teams managing the various components of risk. If the board must work to reconcile two different risk pictures—one technically-oriented and potentially difficult for them to understand and the other financially-oriented—the leadership is less likely to be able to help and respond to the true nature of the company’s risk.

CISOs Should Support Innovators to Avoid the Reactivity Trap

Marketers, R&D leadership, and product managers are the company’s drivers of innovation. They are likely to be the most active in terms of bringing new business-building technologies to the firm, and they’re likely developing new offerings as well. For a CISO, understanding these innovations and why they’re pursuing these advancements can help prevent the CISO from falling into reactive mode. When a CISO learns about a new offering after it’s implemented, he or she must rush to plug the new exposure areas, often at higher cost. A proactive, pre-implementation approach is best to reduce risk.

CISOs Can Reduce Litigation Risk by Partnering with the Legal Team

A relationship with the legal team gives CISOs the opportunity to help reduce litigation risks by ensuring their security operations are set up to support any existing or expected legal obligations. For example, are the company’s cloud-based services configured to produce responsive information in the case of a breach? Are contracts with third-party vendors updated on a regular basis to require updates to their information security? In addition, similar to the CISO’s relationship with executive-level leadership, this relationship can help the CISO identify changes to what data should be treated as valuable.

A CISO’s Strong Relationship with Compliance Executives Can Mitigate Regulatory Risk

Through a relationship with compliance executives, CISOs can discuss concerns about possible gaps in compliance, and can also learn about upcoming changes to regulations relevant to information security that might not otherwise rise to their awareness, such as shifts in financial or other regulations that could impact their work. This relationship also presents the opportunity to discuss the company’s cyber security policy and training.

Three Benefits to CISOs Collaborating with Human Resources

A relationship with human resources pays off three ways. One, it gives CISOs more awareness of possible insider threats lurking in the company and an edge in managing these politically sensitive issues. Two, CISOs can learn about new HR technologies and partnerships in the pipeline. Three, it can give them more feedback about the efficacy of new hire and staff training on information security issues.

Coordination between CISOs and Security Software/Hardware Experts Improves Tool Efficacy

People are also integral to making the latest and greatest tools do their jobs. If an SIEM or vulnerability-scanning tool isn’t optimized, it may spout out several thousands of alerts a day and be operationally worthless. If a tool’s implementation accidentally opens a side door for intrusions, it’s dangerous. What’s more, people internally must be trained to understand the complex technology solutions and manage their output, because someone needs to quickly judge what issues to escalate and how to escalate them. Humans are essential to ensuring even the most advanced technical solutions aren’t backfiring.

It’s ambitious for a CISO to develop meaningful and useful relationships with all of these individuals. But after putting in the effort to develop these partnerships, CISOs can better build an organization’s cyber resilience and can identify opportunities where security can help the business grow.

[1] Governance, Risk, & Compliance

 

 

Legal

Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Professionals

Commentary, new discoveries, and innovative ideas
right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.