The Cyber CRO
The CISO as Chief Cyber Risk Officer
I’ve been meeting a lot more CROs in industry lately, and for some companies centralizing all risk management in one executive’s portfolio makes sense.
For others, that may not be the case. But I find that, as a CISO, I have a lot in common with CROs. That’s because another way of answering the question, “What is a CISO?” is to think of the role instead as a “Chief Cyber Risk Officer.”
The job of a CISO is to manage cybersecurity risk, both against active extralegal adversaries as well as regulatory/legal risk.
Many companies have greater regulatory/legal risk than adversarial risk.
Others, especially in the crypto/web3 space, carry adversarial security risk that dwarfs their regulatory risk. Apex predators like North Korea impose catastrophic, even existential, security risk on private sector companies in crypto/web3.
So how do we manage that risk?
The same way we manage any business risk.
The answer applies regardless of the kinds of risk your business faces. And it’s important to think of cybersecurity risk as just another kind of business risk.
Managing risk means establishing a level of company risk tolerance, approved by the Board of Directors and mandated by the CEO.
In other words, the first question you have to answer is, how much risk are the owners of the company comfortable with?
It’s important to be explicit about this, so that everyone is clear on what risks are acceptable and which risks are not.
For the risks that are not deemed acceptable, you must then spend money and time to reduce those risks.
As you can see, at a high enough level, none of this is technical. It’s a question of either accepting risk or spending money to do something about that risk.
But how do you reduce risk? By imposing risk controls on the company, and enforcing those risk controls.
For example, if you want to reduce the risk of fire in your building, you don’t let department heads decide whether or not to hang a fire extinguisher on the wall next to their coffee machine. It’s inconvenient after all, and ugly, and takes up space. And honestly, we’ll probably never have a fire anyway, so why bother?
Well, if half the building doesn’t have fire extinguishers, you have not managed your fire risk appropriately.
The same holds true in managing cybersecurity risk. Risk controls must be applied in a top-down fashion and enforced uniformly across the entire company in order to be effective.
This is why bottom-up security is doomed to fail.
