Conquering Cyber Risk Management as a Transformational CISO

Now is the time for CISOs to step out from their technical ivory tower. By approaching cyber risk with a business risk mindset, they can bridge the gap between security needs and enterprise objectives.

Frank Kim, SANS Institute Fellow and CISO-in-Residence at YL Ventures

November 1, 2023

4 Min Read
Silhouette of a businesswoman standing on the top of a mountain with success flag. successful business woman concept
medrooky via Alamy Stock

Mitigating risk is top of mind for chief information security officers today amid escalating attacks and new Securities and Exchange Commission (SEC) cyber regulations. However, it’s still a lot easier said than done. Billions of dollars in resources are allocated to cybersecurity annually. The best and brightest cyber professionals on Earth are dedicating their lives to combatting threats. Entire nations are joining forces to share intelligence across country lines. Yet, cybercrime is still on the rise.

For CISOs, the solution isn’t merely a matter of alleviating talent shortages, reducing alert fatigue, or adopting new best-in-class security products. We hear about that from analysts, IT teams, and vendors every day -- it’s nothing we don’t already know. The real obstacle is figuring out how to balance stringent security needs with enterprise business objectives across a continually evolving attack surface influenced by new operational structures, user behaviors, vulnerabilities, and threats. The past three years offer a direct example of that volatility:

  • New operational structures: Digital transformation coupled with widespread shifts to post-pandemic hybrid work structures rapidly accelerated cloud migration, creating a vast range of new security and compliance risks that existing security architectures weren’t positioned to handle.

  • New user behaviors: In a 2023 industry survey, more than half (55%) of respondents admitted to only working on personal mobile devices while on vacation during the summer months -- a new behavior of the “work from anywhere” culture. Just 12% of those polled reported VPN usage, a best practice for protecting corporate data.   

  • New vulnerabilities: Enterprise collaboration tools driving cloud-based hybrid work (Slack, Microsoft Teams, Zoom, etc.) have expanded the social engineering attack surface, requiring organizations to extend phishing defenses beyond traditional email gateways.

  • New threats: Generative AI-powered social engineering campaigns, increased third-party developer targeting, and SEO-based malvertising attacks are all examples of new threats that emerged over the last 12-18 months alone.

Related:Keeping Up With Data Privacy Compliance: A Guide

Amid constant change, fusing security and enterprise strategy -- two traditionally siloed functions -- into a universal front is table stakes to mitigating risk. Because, like the world’s first CISO Steve Katz once said, “there are no security risks. There are only business risks.”

It’s a tall task that requires CISOs to step out from their technical ivory tower, instead serving as transformational leaders who align security risk management with strategic, financial, operational, legal, and reputational functions. A transformational CISO goes beyond uncovering vulnerabilities and threats, optimizing robust security frameworks that safeguard business-critical assets with scenario-based planning and layered defenses linked to high-value areas of the enterprise.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

The Role of Security Frameworks

There are three types of foundational cybersecurity programs: control frameworks, program frameworks, and risk frameworks. Control frameworks pertain to tactical strategies that help mitigate attacks. The most effective risk mitigation frameworks use a combination of different controls, such as technical controls, administrative controls, and physical controls. Program frameworks, like NIST’s newly-released Cybersecurity Framework 2.0, put those controls together into a cohesive structure. They consist of the policies, procedures, processes, and activities beyond the technical controls that you should implement to have an efficient end-to-end security architecture.  

Thirdly, risk frameworks determine which threats your controls and programs should prioritize. There are a number of frameworks that define approaches to risk assessment and management including NIST 800-30, NIST RMF, ISO 27005, COSO ERM, among many others. Many of these approaches follow a qualitative approach to calculating risk with measurement tools like ordinal scales. This is where also leveraging quantitative concepts like those described in Factor Analysis of Information Risk (FAIR) is helpful. By marrying foundational risk management program elements with a more rigorous approach such as FAIR, CISOs are able to position their security needs in terms that resonate across the entire enterprise.

The Role of Risk Quantification

Cyber risk quantification simplifies the correlation between cyber and business risk, allowing organizations to better define their security priorities. CISOs can leverage quantification strategies to effectively engage their C-suite and Board, which is more important than ever amid the new SEC cyber regulations requiring public companies to disclose their level of leadership oversight on risk management.

The basic quantification of cyber risk is probability (attack likelihood) x impact (asset damage). For example, a zero-day exploit may have a high technical likelihood of success. But if that exploit doesn’t grant access to a privileged environment where high-value data is exposed, impact may be minimal and, in turn, overall risk would be low. However, if the exploit instead results in full loss of network control and prolonged operational downtime that causes millions in financial damages, the threat is both likely to succeed and cause severe impact -- therefore exacerbating risk. Probability is the how behind risk management, while impact is the why. Knowing how to effectively articulate the latter enables CISOs to be transformational leaders who permeate a security-first culture across the organization.

In reality, mitigating cyber risk is a continuous process with no one-size-fits-all solution. However, by approaching cyber risk with a business risk mindset, CISOs can take proactive steps to bridge the gap between security and enterprise objectives, safeguard their most valuable assets, and shift the balance of power away from adversaries.   

About the Author(s)

Frank Kim

SANS Institute Fellow and CISO-in-Residence at YL Ventures

Frank Kim is a SANS Fellow where he leads the Cloud Security and Cybersecurity Leadership curricula to help shape and develop the next generation of security leaders. Previously, he served as the organization’s CISO where he led the information risk function for the most trusted source of cybersecurity training and certification in the world. Frank serves as an advisor to numerous security startups and authors and teaches courses on CISO leadership, strategic planning, DevSecOps, and cloud security.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights