Considering the fallout of something going wrong is a crucial aspect of risk tolerance. CISOs face the challenge of deciphering the organization’s tolerance for the impact of a potential security incident. An IT Head we asked, emphasized the importance of understanding the organization’s risk appetite and tolerance. Aligning an organization’s appetite for risk with cybersecurity strategies requires balancing technical controls and business needs. Achieving that balance demands a capacity to adapt to changing risk environments.
The CrowdStrike outage highlighted that even well-prepared systems can encounter unforeseen issues, emphasizing the need for cybersecurity strategies to consider the broader implications of the organization’s risk tolerance. The same IT head explained that risk appetite can be highly variable, while risk tolerance needs to be a guided discussion around a particular objective or risk scenario. CISOs should consider the potential organizational ramifications and wider public outrage of an incident and avoid seeking technical guidance from board members.
The essence of the question is ‘How much risk are we willing to take on?’ and the answer lies in quantifying risk tolerance and distinguishing it from risk appetite. Risk appetite can be highly variable, and understanding it tends to be very much about intuition on the part of the CISO. On the other hand, risk tolerance needs to be a guided discussion around a particular objective or risk scenario.
Leading the risk conversation requires quantifying cyber risk and developing mature risk reporting practices. Using data from industry sources like the IBM cost of data breach report helps in understanding the probability and potential impact of cyber risks. Organizations need to improve their understanding of risk, particularly as the board is ultimately accountable for risk oversight. Proper risk assessments and strategic planning are essential for aligning risk tolerance with business objectives. This includes scenario analysis to assess the financial impact of cyber incidents and war-gaming cyber incidents to understand and mitigate emerging risks.
While managing organizational risk is a key responsibility of the board, a significant gap exists between CISOs’ needs and board guidance. According to the IANS State of the CISO 2024 Benchmark Report, 85% of CISOs believe the board should provide clear direction on the organization’s risk tolerance to inform their decisions. However, only 36% of CISOs are receiving this essential guidance, highlighting a critical need for improved communication and collaboration between CISOs and boards to ensure effective risk management. In countries like Pakistan these stats would be reductive on the non healthier side of risk strategies input and support the CISO recieves, considering bar financial institutions and few large enterprises nost CIOs or IT heads are doubling into the newly introduced understanding of information security post Covid.
Breaking Down Risk
Forming risk committees and engaging in business discussions helps CISOs better understand and address risks associated with new technologies and initiatives. An information security committee can be a vital tool in this mission, operating as a cross-functional team that brings together different members of the business. The committee becomes a useful forum for CISOs to understand what’s happening across the organization and build trust with other business leaders. Regular assessment of not just the cybersecurity environment but also the risk tolerance and risk appetite is crucial. This drives the controls that need to be put in place.
Understanding the business deeply is crucial for translating its risk tolerance into the security posture. This requires a mature framework and not accepting more risk than the organization is willing to take. CISOs need stronger business acumen to support risk as a business opportunity. By understanding the business operating environment and drawing on appropriate metrics, CISOs can illustrate how risk is being managed and show that the risk is coming down. This includes mapping controls against industry frameworks and defining the level of maturity the organization desires.
CISOs must come to grips with the meaning of cyber risks and their ramifications on the business side of the enterprise. To do this effectively, CISOs need to develop stronger partnerships with other technical leaders and offer constructive ways to support risk as a business opportunity. CISOs and cybersecurity leaders need to constructively support the organization’s growth plans while ensuring the business is protected. This includes embracing and managing risk in areas like new technologies, applications, markets, or businesses. By doing so, CISOs can shake off the reputation of being risk-averse and become enablers of business growth.
Business Risk Management
Moreover, CISOs need to be conscious of the business operating environment and draw on appropriate metrics to illustrate how risk is being managed. The goal is to show the risk is coming down and the CISO has implemented a treatment plan that works. To do this effectively, CISOs will need stronger business acumen,
According to the IANS report, and increasingly this includes offering constructive ways to support risk as a business opportunity. “That business acumen is understanding the business ramifications of the risk, not the technical underpinnings,” said an IS lead we spoke to. CISO plays a part in coming to grips with this, whereby those CISOs with a GRC background tend to be better at tying the security risk to business risk because they understand the compliance obligations, while those from a SecOps path may struggle more.
However, an IT vendor partner CSO engaged believes ‘positive risk’ is something that security leaders have found very difficult to identify and capitalize on. “In part, it’s because the downsides of cyber are so great and the upside is nothing bad happened,” they said. They encourage CISOs to develop stronger partnerships with other technical leaders to understand business objectives and identify the associated risks. This includes partnering with the CIO or the CTO to find ways to accomplish something because it can be a tricky path to go on your own.
Boards are ultimately accountable for risk oversight, and it’s crucial for CISOs to educate them on cybersecurity risks and their implications. However, CISOs often struggle to communicate effectively with boards, which can lead to a lack of understanding. Hence the grave and growing importance of speaking the language of the board, focusing on business outcomes and financial impacts rather than technical details.
