Risk is part of doing business. So is exploiting opportunity. Balancing the two can be difficult, especially as business leaders tend to be judged by how they grow their business, not by how much loss they avoid.
But risk is real, risk is an unrealized financial loss on your balance sheet that could happen at any time.
Nowhere is this conversation more difficult, I feel, than in when it comes to cybersecurity risk.
Meet Mr. Risk.
Cyber risk, that is. As CISO that’s the role I play: Mr. Risk.
Some risks are obvious and require little explanation. Earthquakes happen in California. Hurricanes in Florida. Snowstorms in Canada. Don’t wear your seatbelt? We all know what happens in a car accident if you don’t.
Cyber risk though is so technical and so abstract that it is not self-explanatory to most folks. “Invisible things are going to hurt our business? Paranoid much, aren't we?”
I remind myself that the doctor who discovered that handwashing saves lives during surgery died in an insane asylum. The medical profession in the mid-19th century year thought this insight into risk was clinically crazy.
It took multiple generations for society to understand that germs exist, they cause disease, and washing your hands is good for your health and saves lives.
Imagine how long it will take for regular people to understand cybersecurity risk! I’m not holding my breath.
Yet here I am, Mr. Risk, trying to do my job.
This is why great communication skills turn out to be a CISO’s superpower, because you are constantly explaining security risk to people who don’t understand (and sometimes don’t want to understand). I feel like a purely technical CISO without the ability to bridge the gap to business leaders would flounder in the role.
On top of the difficult-to-explain “invisible things” conversation, there’s the difficulty of quantifying security risk. We can quantify financial impact of bad things happenings, mostly, but what is the likelihood? We're talking about human adversaries here, not natural phenomena. We can only guess at others’ motives and the likelihood of their engaging in a malicious campaign against any given org. (This is why I am so critical of so-called Cyber Risk Quantification, or CRQ).
Mr. Risk will also find himself head-butting Mr. Opportunity from time to time. This is normal and needs to be managed. Every for-profit business wants to seek out and exploit opportunity for financial gain. That’s in the DNA of a for-profit company. Nobody ever got a bonus because nothing happened, you know?
Mr. Opportunity is incentivized more than most to be aggressive in seeking profit, and will often choose to overlook risks (sometimes willfully). This puts Mr. Risk in a difficult position, and finding the right way for Mr. Risk and Mr. Opportunity to dance together can be a challenge—but you're both on the same team, so there’s really no alternative.
The saving grace here is that balancing risk and opportunity is not and should not be the final decision of either Mr. Risk or Mr. Opportunity. Those are decision from executive leadership and sometimes the Board of Directors.
“How much risk should we carry? What business opportunities should we exploit?”
Those are questions for whole-of-company leadership. Mr. Risk is there to identify risk and manage risk to meet executive risk appetite.
Establishing these clear rules of the game make for a smooth-running company and stress-free (or at least lower stress) job as CISO.