CISOs often feel excluded from company leadership. But do they need to step up and own risk to do so?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Ross Young, CISO-in-residence, Team8, and Jeroen Schipper, CISO, Gemeente Den Haag.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Fenix24
Full Transcript
Intro
0:00.000
[David Spark] CISOs often feel excluded from company leadership, but do they need to step up and actually own risk to be seen as a C-suite executive?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me as a guest co-host, very excited to have him on. We’ve had him as a guest before, I believe it’s the first time as a guest co-host. It’s none other than Ross Young, CISO in residence over at Team8 and the co-founder of CISO Tradecraft.
Ross, thank you so much for joining us.
[Ross Young] Hey, thanks for having me on the show.
[David Spark] Ross is great. If you are not currently a subscriber to CISO Tradecraft, they have a podcast as well, but they also have this phenomenal channel on LinkedIn where they publish a lot of really interesting stuff, and so we highly recommend you check it out. As well, you should check out CISOseries.com.
We have a great website there. Our sponsor for today’s episode is the Conversant Group, the world’s first civilian cybersecurity force. You need them when things go very, very bad. More on just that later in the show.
Let’s get to today’s topic, Ross. You can’t shake a stick without hearing a CISO complain about not having a “seat at the table.” But if they want that, Allan Alford of Alford and Adams Consulting argued that they need to firmly step up and own risk. This is what he said in a recent LinkedIn post. Now, I know this is heresy among many cybersecurity leaders but hold on.
Now, this isn’t something that can be pushed off to “the business.” All our conversations before have been that the CISO doesn’t own the risk, and Allan is arguing that becoming part of the C-suite requires becoming part of the business and taking on that risk. So, I’ll start with you, Ross. What are the implications and opportunities both, for CISOs when they take risk ownership?
[Ross Young] Yeah, so I think if we look around the rest of the board, the C-suite, we see a chief financial officer who owns financial risk. We see a chief legal counsel who owns legal risk. And if we’re going to have a seat at the table, do we have to own cyber risk? And this is where it really gets tricky.
The plus is, hey, everybody wants cyber to own it, but the downside is, can cyber really own it when we’re only a level two layer of defense where we oversee and govern but don’t have direct keyboard access to all the IT applications that are committing who knows what vulnerabilities, imposing sensitive data in places that shouldn’t be?
It is a tough question.
I personally disagree with Allan’s approach. I like being able to go back to the businesses an informed leader and say, “Here’s your application. It does this critical business process. Here’s some things that I see around it,” just like chief auditors do. And I’m going to tell you, “Here’s the findings,” but it’s up to the business to make the recommendation.
So, I would say we’re closer to chief audit and staying a little bit firmly back, compared to the chief legal or chief finance officer where we truly own the risk.
[David Spark] Total agreement in all this, but the argument also I’m going to throw out is, if you want to be seen at that higher level, but you make a good point that we’re layer two security professionals and that we don’t physically have our hands on. Anyway, it’s a good, muddy discussion to have.
And the person to join us on this very muddy, but very interesting discussion is none other than the CISO for the municipality of The Hague, Jeroen Schipper. Jeroen, thank you so much for joining us.
[Jeroen Schipper] Thank you. Great to be here.
How did we get here?
3:39.878
[David Spark] Gabe Silva of Manasec said, “I think the chicken came before the egg, meaning CISOs never claimed risk because they had no authority, compared to CISOs were not given authority because they claimed no risk. I like the approach you mentioned. If I understand it correctly, I am taking on risk here, so I am claiming authority, and here are my recommendations, of course, with the caveats of the business mindset.
An important factor is whether the recommendations are taken or not.”
And Jordan Kelly of Re-thinking the Human Factor said, “Here’s an interesting conundrum for you then. If a risk owner holds over all accountability – let’s say they do, getting paid the big money and all that – then whatever the risk is, if it exceeds threshold for any reason based on pre-established criteria, that would mean that nobody other than the risk owner can be reprimanded, disciplined, or removed from role in that instance.
How many individuals would put themselves in roles that make them risk owners if that is the case? What is a risk appetite and perception in this instance, do we think?” So, Ross, this is a really good point that Jordan puts is there’s the business risk and then there’s the individual risk, and if the risk exceeds the business risk, then does the individual take on that risk?
What do you say?
[Ross Young] Yeah, so I think we have to look at history on this one. For the longest time, CISOs were given all the cyber risk. That’s why they were fired when you had a breach. No one else was responsible but cyber. And as we look at that and we say, is that the right thing? It could be. It could be the long-term way if we really want to increase our role and make it an executive role.
But the other thing we’ve always been missing is the control and the authority around that, which is if I assume this risk, then you know what? I should also be able to drive the resources, and that’s something cyber has never had. If we have to choose between adding new features versus fixing old bugs, cyber would always say, “Fix the old bugs.” But do I actually have that direction over the IT developers to say this is our stance?
We always fix old bugs before we produce new features. Some organizations like Microsoft post-breach have said that is their new norm and that’s fantastic, but other places haven’t gotten to that level of maturity. So, we’re going to see how this plays out in a lot of different organizations.
[David Spark] All right, good point. And it’s interesting. This is probably going to keep coming back to this, Jeroen, of how much control does the CISO have for getting things done to manage the risk? Isn’t it going to come down to that? Yes?
[Jeroen Schipper] Yeah, exactly. I think you have to look at a couple of things. When you as a CISO can get that mandate, for instance, then there has to be other things in place, like a shared responsibility within the board. You really have to own your place at the table. But also things like budgeting.
You have to have your own budget. In a lot of organizations, it’s not in place yet. It’s a really multifaceted discussion, I think, and Ross pointed it out pretty well. So, when you as a CISO have to fully own the business risk, then you have to have a couple of things in place, right? You have to have the trust and the authority within the organization, but also you have to have influence all over the organization.
So, you really have to be a full member of the board, including mandate, including budgeting.
Can there ever be agreement on this?
7:18.459
[David Spark] Scott Ernst of Brown & Brown said, “I could agree, and yet it seems CISOs are loath to tap into the information, expertise, and toolset of traditional operational risk. Why go it alone and reinvent a new wheel? Quantifying operational risk and its financial impact has been the language of risk management and the language of the C-suite and the board of directors for decades.” Probably even longer than that.
And John Mumford of Fellsway Group said, “It depends on the individual CISO and the organization structure, but I wouldn’t say CISOs own risk overall generally. CISOs may own some risk. For example, the risk of their security tools not operating. They certainly can inform other risk owners, HR for instance, of risk within their sphere of influence.
For example, X percentage of people aren’t taking their security training. Cyber is a business risk in a digital world to be managed at the same level of operational, reputational, financial, etc.” So, John and Scott just say, “Hey, risk has been around for a long while and people manage it. So, it’s not new.
We don’t need to create a new kind of management of risk since we have a history of it.” Is the CISO, even though they say they don’t own the risk, I like what John says, is they do actually own some risk, don’t they?
[Jeroen Schipper] Yeah, I think every CISO owns some sort of risk because it’s a really specific expertise that CISOs have.
[David Spark] Correct.
[Jeroen Schipper] So, I don’t think you can expect from board members because a normal director is responsible for everything, right? From HR to the organization to budgeting and now also from cybersecurity. So, I think there’s some sort of middle ground where a CISO can take the responsibility, but they shouldn’t work in isolation.
So, if they’re a board member and they are within the executive board, they can integrate cybersecurity into the traditional operational risk language and risk framework.
[David Spark] Okay. I throw this to you, Ross. I know, Ross, that you said you were not in agreement with what Allan proposes about owning risk, but I’m going to ask you to create the thought exercise, and you can sort of expand this risk window as big or as small as you want. What level of risk do you think security should be owning?
And if you were going to expand it, what more ownership would you want?
[Ross Young] So, I do think cyber owns a lot of risk, right? So, organizations are going to look to us to stop material cyber threats to the organization, ransomware from happening, business email compromise, those sorts of things. And as a mature program, we’re going to implement controls and safeguards to stop those things.
Email security gateways are an example of something that would stop phishing. And we would implement that, and we would have phishing exercises and other things where we could measure metrics that say, “Here’s how good we are today, and here’s how well we believe we can stop these material threats, and we are controlling that risk.” So, absolutely, I think we are doing those things today and we have that.
Now, I do want to challenge on one of the things that was said a little bit earlier, cyber risk quantification. I actually am a strong opponent of those types of things. I don’t see my peers saying, “Here’s the likelihood and the impact of a financial risk from exercising in our organization.” I think the people promoting that haven’t been in the boardrooms because I’m just not seeing that from the chief legal saying, “Here’s the likelihood of this law causing a 50% impact.” Like I’ve never seen that, right?
The only one I’ve ever seen that is my peers in the cyber group. So, I think we need to step back away from the cyber risk quantification and just show the facts, “Here’s the facts. This person or this exercise had this many things, clicking these things that they shouldn’t click. We think this is a risk.
We don’t know how bad it’s going to be because a lot of these things are vague math times vague math equals very vague math, but we know that this data exists here, this is a risk that can happen, and we want to take these actions to solve this problem.”
[David Spark] Let’s say to you that this scenario that Ross brings up, Jeroen, that this is sort of legitimate and could you expand it anymore?
[Jeroen Schipper] I partly agree. I think that the normal KPI way of running a business is not the way forward. So, when you as a CISO are responsible for what you mentioned, phishing, other things on your threat exposure, then you can report on those things. Like for instance, when you have a time to patch of two weeks, then you can quantify that to a concrete risk.
Like if you want to have the patching that we’re now doing in two weeks shortened to one week, and it’s going to cost you $1 million a year, then you’re quantifying it, but you’re also talking about risk and not about cybersecurity. Because that’s the problem. I don’t think you have to talk about detailed cybersecurity expertise within the board.
That’s one of the big problems that a lot of CISOs have, that they’ll start to talk about vulnerabilities and how to fix it and endpoint protection and managed detection and response, and that’s not the language of the board.
Sponsor – Conversant Group
12:41.119
[David Spark] Before I go any further, I do want to talk about our absolutely spectacular sponsor, and that is Conversant Group. Now, let’s face the facts. Cyberattacks happen, right? The question is, how quickly can your business recover? With Securitas Summa from Conversant Group, recovery isn’t just possible, it’s assured.
Yep. Securitas Summa is a comprehensive cybersecurity program designed to keep your business secure and operational. It combines proactive defense, continuous protection, and assured recovery through Fenix24, the world’s leading recovery firm. Work begins in less than 60 days, and recovery starts the moment you need it.
No delays, no excuses.
With Securitas Summa, your organization has access to a fully managed recovery process that gets you back online faster than anyone else, 50% faster than the industry average, to be exact. So, downtime is minimized, risk is reduced, and your operations stay on track. Cyber resilience starts with the right partner.
Visit conversantgroup.com to learn how Securitas Summa delivers security and recovery you can count on, and that’s conversantgroup.com.
What’s the optimal approach?
14:01.810
[David Spark] All right, stay seated. I got two big quotes for you. First from Duane Gran from Converge Technology Solutions Corp., “Does the legal counsel own the risk of getting sued? Does the CFO own the risk of whether the company hits the target revenue per share?” These are issues you brought up at the beginning, Ross, I should mention.
Duane goes on to say, “I stand firm saying we don’t own the risk.” Duane and you are on the same page here, but Duane goes on and said, “But maybe what you mean is that we aim to be more accountable for giving the right kind of advice. We should be accountable for the quality of our advice and leadership.” Nodding your head a little bit there.
Rich Mason of Critical Infrastructure said, “I think looking at this through the lens of mere peers like CFO, CTO, CIO, general counsel, CMO, and MDs is helpful. They all put their neck on the line for how they manage different types of risk. Are we risk consulting or risk managing?” Good point here.
“If it is the former, you’re likely to not get a front row seat. On the hierarchy of risk, individual contributor up to chief X, I think it is helpful to think of financial schedule of authorizations. It is interesting to contrast how a financial approval required a certain sign-off level up to CEO and board based upon dollars, yet we often see requests for risk acceptance at individual levels that are well above their pay grade.
Converting risk using the same financial lens and process or creating the adjacent risk schedule of authorizations start to achieve what Allan Alford is advocating. All risk is financial, even reputational risk.”
I’m throwing this one at you, Ross, there’s agreement with you, but we’re now kind of using different terms. Rather than saying risk ownership, we’re talking, “Are you consulting? Are you managing? Are you accountable for your advice or are you actually owning the risk?” How should we slice and dice these terms, Ross?
[Ross Young] So, I like to use the term governance. We’re responsible for establishing good governance in terms of cyber risk. What does that look like? So, what I like to do when I come into an organization is talk to the chief financial officer. I like to ask him or her, “Hey, tell me what the approval authorities are for different management levels.
Does a director have the approval for $50,000 on a procurement card?” Okay, that makes sense, maybe a VP has 200,000. And so the list goes on. And then I take those same approval amounts and authority levels and apply them to cyber. So, then when I take a risk, I say, “Huh, does this look like a $50,000 problem or a $200,000 problem?” And if it looks like a $200,000 problem, then it needs a VP to sign off on that situation, and then that’s a very consistent way.
CFO’s already bought off on it on the procurement decisions, so it can be laterally moved. And so when we use this, we have a risk governance process that enables risk management decisions made by the business.
[David Spark] Jeroen, how do you feel about this? And would you be more comfortable taking one of these other titles of accountable, manager, advisor when it comes rather than owner?
[Jeroen Schipper] I completely understand what Ross mentioned. The thing is, when I look at the threats that we face as a municipal organization, we are an international city. Geopolitical things that happen everywhere in the world have to do with The Hague because we have the International Criminal Court, we have Europol, we have NATO.
So, things that happen within the city can have a really big impact, and when you look at the financials that are connected to that, then I’m already pretty quickly on the level of the general manager, and that’s a problem for me. So, even the smallest things that I have to quantify are already at the highest level within my organization.
So, then I have to get over there for every question, for every threat we see, that it’s possible that we get a problem when I quantify it for a million dollars or a million euros.
[David Spark] So, you think you would just drown in bureaucracy with this?
[Jeroen Schipper] Yeah. And the other way is, and that’s not what Ross mentioned, but is that you completely own the risk, but then I’m responsible almost for business continuity management. And that’s the other way, and that’s really not my part of the world that I’m responsible for.
[David Spark] I don’t know how you could sleep with that level of… [Laughter]
[Jeroen Schipper] No, exactly. But that’s what we’re talking about.
[David Spark] I think maybe this all comes down to what level of risk can a CISO handle and still sleep at the same time? Do you think it just boils down to that, Ross?
[Ross Young] I firmly believe in the three lines of defense, which is who’s the primary manager responsible for this function, this control, this requirement? If cyber owns that, which we do own things, we own incident response, we own security awareness and education, we own email security, things like that.
Absolutely, we take responsibility on the risk; however, if things are other parts of the organization, hey, somebody does a merger and acquisition. Well, cyber didn’t really get to sign off on that. That was made by the CEO. Or if somebody’s doing software development, that’s the IT org, not the cyber side.
Those parts of things, that’s when we switch from being the primary owner to being this level two, this organizer of compliance, these ones of speaking truth to say, “This is working appropriately,” or “The trends show that this is not going the way we think it is. We need to do better.”
Who owns this issue?
19:41.380
[David Spark] Paul W. of Information Security Forum said, “Oh, I don’t know about that. If I said, ‘I own the risk,’ out loud in my business, I’d disappear under an avalanche of everyone else’s problems and the responsibility for sorting it,” it’s kind of what we were referencing in the past segment, “Co-own, however.
Hmm. Is there a distinction between own and accountable here?” Like what we talked about, “That needs to be a golden rule of the playground first. Let’s pad this out a little bit.” And Peter Berlich of Fernfachhochschule Schweiz said, “Owning the risk process doesn’t include owning the risk.” Ah, that’s interesting.
“The latter to be owned by the business. Co-owning sounds like a recipe for diffusing accountability though.” All right, I’m going to start with you, Jeroen. Again, more semantics we’re playing in this segment about owning, being accountable, co-owning, and I like this thing that Peter said is owning the risk process is not equal to owning the risk.
Do you agree with that?
[Jeroen Schipper] Yeah, well, I think that highlights a key distinction, right? So, the CISOs don’t necessarily need to own every risk outright, but they should be responsible for managing the risk process. I think that’s the big distinction. So, the business owns the business, and the CISO is accountable for the cybersecurity part.
So, the thing is that CISOs are responsible for ensuring that risks are addressed at the right levels without diffusing that accountability that we mentioned. So, I think it’s something like co-ownership of the risk. I think that’s the way to go forward.
[David Spark] Ross, what do you think?
[Ross Young] Yeah, I think this has a lot of good merit to it. The first thing I would say, is it illegal or immoral? If it is, we’re not going to do those things at our company. That’s just a hard stance. But then if it’s not illegal or immoral, then it’s like going to Vegas. Do the benefits outweigh the risks?
[David Spark] You’re comparing to Vegas. Vegas, the risk is always higher because the house always wins.
[Ross Young] Yes. But in this example, I would say there are things that businesses take for risks all the time. If you can make $10 million on something, but it only costs you a million dollars to do it, that’s probably a good risk to take. However, if it’s flipped the other side where you’re playing against Vegas and losing every time, then that’s a bad risk to take.
And we have to be able to say there’s some risks that we want to take because if we spent every dollar on cybersecurity, this company would not be profitable, and then we wouldn’t even have a cyber department because we’d be out of business. So, we have to look at overall the benefit of the business versus the actual risk, make those informed decisions, and have cyber lead the way for managing those discussions.
[David Spark] Jeroen, in our discussion we’ve had today, and by the way, I want both of you to answer this, is there any more risk you want to either own, be accountable for, share the risk process? Like in any way we’ve sliced and diced and it’s sort of defined how sort of the risk ownership accountability is, is there something more you would like or even less you would like that you currently have?
[Jeroen Schipper] At the moment, I think it’s a good balance between being responsible for the whole risk process and the consultancy directed to the board, but to be able to be responsible for business processes because that’s what you’re now talking about, right? Because you are complicit almost in running the business, and I don’t think that’s a good role for a CISO to have.
[David Spark] That is sort of counter to what Allan’s argument saying, “Hey, if you CISOs really want to be seen as a C executive, step up and truly act like a C-level executive, which means taking on the risk of your department,” as sort of Ross pointed out at the beginning, also Duane Gran sort of mentioned as well.
Ross, I throw this to you as well. You work with a lot of startups, and you also talk to a lot of CISOs. Do you hear CISOs saying, “I want to own more risk so I can be more respected as a C-level executive”? Or any way, like they probably say, “I want to be more seen as a C-level executive,” than saying, “I want that as trade-off with owning more risk.” I don’t know, what do you hear?
[Ross Young] So, the thing I hear CISOs ask for the most is wanting to own identity because a lot of access management and making sure we keep the bad actors out is controlling access, which means you have to own identity. That’s the number one thing I see CISOs asking for. Now, that’s different than what I see everybody else asking the CISOs to do.
And generally, there’s three things I see them asking CISOs to do. One is own everything compliance, right? There’s GDPR data compliance. There’s different types of software compliance that maybe you have to do because EU just passed a product liability law that you have to deal with. So, all of these things happen.
Another one that I would also say that we’re being asked more to own is fraud. Hey, if everything you sell is through a web application, does that mean you own all online fraud in cyber? Huh? Well, have I actually been slotted with a team to look through fraud analytics and data and all those insights?
Or am I just expecting my SOC, who’s a bunch of incident responders on IT, to totally understand the business logic of whatever product we’re selling and how bad actors are going to abuse that? I don’t know. That’s another tricky thing you got to figure out, who’s solving that in the organization?
And last but not least is data privacy. Historically, that’s been tasked under the chief legal officers within a company, but you know what? They’re not technical, and they don’t actually have real tools in their organization like data loss prevention. That falls under cyber. So, guess who gets to answer all the data privacy questions?
Typically cyber. So, does that mean those things come under our organization – fraud, compliance, and data privacy? Because that’s what’s being expected of us. And then that gives us the opportunity to step up and into a larger role.
[David Spark] Excellent.
Closing
25:56.284
[David Spark] And that brings us to our almost concluding portion. We’re going to ask you first, Jeroen, please tell me which quote was your favorite and why?
[Jeroen Schipper] I think it was the one from Jordan Kelly. He started with, “Here’s an interesting conundrum for you,” and what he said is that if a risk owner holds all the accountability, getting paid the big money and all that, then whatever risk it is, if it exceeds the threshold for any reason on pre-established criteria, that means that nobody other than a risk owner can be reprimanded and disciplined.
And that’s, I think, the key part of the whole discussion we had. You have the good and the bad. When you’re the one that’s responsible for cybersecurity, and you have the mandate and the budget, and you’re on the table, then you can have the responsibility. And in all other cases, it’s a no.
[David Spark] Good point. All right. I throw this one to you, Ross. Your favorite quote and why?
[Ross Young] There was a quote earlier, and I forgot who said it, that says we’re accountable for information. And I think that’s exactly right. Each of us has a different type of kung fu that we bring to the C-suite. Chief financial officers, they know financial kung fu. Chief legal knows legal kung fu.
CISOs, we know information security kung fu. That’s the information we need to bring to the risk committee so that they can make informed decisions on information security.
[David Spark] Thank you very much, Ross. Thank you very much, Jeroen. And thank you, audience. First of all, I want to thank our sponsor, which is Conversant Group – cyber resilience starts with the right partner. Visit them at conversantgroup.com. Ross, Jeroen, thank you both for coming. Ross, I’ll ask you first.
You are CISO in residence over at Team8. We did actually a live show with Team8 a couple of years ago in Tel Aviv, which was fantastic. We loved working with them. I’m assuming your portfolio companies are hiring, yes?
[Ross Young] Absolutely. We have new companies that are starting all the time, and they’re growing their portfolio and having success. So, please look on Team8.bc. You can find a list of our portfolio companies and find some good job opportunities by perusing their websites.
[David Spark] Excellent. And Jeroen, are there job opportunities at The Hague? And I’m assuming the qualifying is that you have to live in the Netherlands, yes?
[Jeroen Schipper] Yeah, that’s the most easy part. Yeah. So, we’re always hiring. It’s really interesting to work for City of The Hague because of all the international threats that we’re facing on a daily basis. So, it’s not so much fun for the organization itself, but from a security standpoint, it’s a great place to work.
[David Spark] Awesome. That is great to hear. Well, we’ll have links to their LinkedIn profile. I’m assuming our audience can contact you directly if they have questions, yes?
[Jeroen Schipper] Yes, absolutely.
[David Spark] Awesome. Well, thank you very much, Ross. Thank you very much, Jeroen. And thank you, audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.