The new North Star for CISOs: Accounting for emerging risk: We’ve established that it’s no longer good enough to overfit into a compliance standard, but you can still use compliance to your advantage.Most compliance programs mandate an information security risk assessment and, at a larger company, you may already have a dedicated enterprise risk management function. As a CISO, you influence the scope of that information security risk assessment, the methodology and, perhaps most importantly, the time horizon. Three key strategies you should consider:
Extend the time horizon
Ideally, you want to be considering scenarios as far as 35 years down the road so you can get ahead of them. We’re already seeing evolving threats from AI, more breaches stemming from vulnerable third-party vendors and the risk of harvest-now-decrypt-later threats from quantum computing within the decade. None of the controls for these risk scenarios can be turned on overnight, so preparing for them and other emerging risks is paramount.
Use risk- or scenario-based methodologies wherever possible
What is the situation you are attempting to prevent? Compliance based on assets or controls is where the checkbox label comes from. This may be important at the outset of a security program to ensure you have proper coverage, but you will confront the previously mentioned 80% mentality. \With scenarios, you start with a broader view of the risk and map associated controls. You can also define custom risk scenarios, which allow you to formally introduce requirements beyond existing compliance routines. They can also be more specific than you may find in control statements or standard scenarios.
Quantify the loss
One of the most common shortfalls of compliance-driven risk assessments is simplistic math around likelihood and impact. Many of the emergent risks mentioned above have a lower likelihood but an extremely high impact and even a fair amount of uncertainty around timeframes. Using this simplistic math, these tail risks do not often bubble up organically; instead, they have to be pulled up from the batch of lower frequency-x-impact scoring. Defining that impact in dollars and cents cuts through the noise. $250k versus $18M might both rate a “5” for impact in the traditional sense, but one is clearly more impactful than the other.Practically, these can be difficult if your program is newer and they are highly dependent on both your security organization’s stature and risk culture. Just remember that even if you succeed in starting the discussion on these items, you are building awareness and setting the stage for future investments.
How to get buy-in from the board: The financial leaders who approve a CISO’s cybersecurity plan live in the area of risk. Every day, they make calculated bets on what will pay off for the business. The board will want to know what compliance standards you aren’t accounting for and the likelihood and impact in financial terms.CISOs can assure them that a clean audit that checks all of the compliance boxes may be safe enough to show prospective clients, but resting there sets a standard of “good enough that doesn’t account for risks that may not be a part of the compliance standard for 23 more years. While these might sound like extras to the board, quantifying risk, comparing to competitors and calculating cost-optimal controls are key. For example, an awareness campaign, approval process or training module might be cheaper than adding additional software or point solutions around generative AI security and bring risk down to an acceptable level.If your budget has already been approved without these focus areas in mind, now is the time to start weaving a risk-first approach into discussions with your board. You should be talking about this year-round, not only during budget season when it’s time to present your plan. It will position security as a way to protect revenue, improve capital efficiency, preserve treasury integrity and optimize costs, rather than a cost center.The beginning of the year is a great time for CISOs to start shifting their organization’s mindset on cybersecurity risk. Take a risk-first approach that goes beyond compliance standards and focuses on becoming resilient to emerging threats.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4128920/never-settle-how-cisos-can-go-beyond-compliance-standards-to-better-protect-their-organizations.html
