• United States




What is your risk number?

Jan 22, 20165 mins
IT LeadershipIT StrategyROI and Metrics

What is your risk number as a CISO and what is the risk number for the enterprise

judges scorecard
Credit: Thinkstock

A few weeks ago, a new acquaintance made a cynical joke about the CISO being the person to blame and fire when a cybersecurity breach occurs in a company. While I privately grinned in dismay about the comment, there is some truth to the statement. It reminds me of a very critical question every CISO job candidate must ask during a job interview: “If the company has a cybersecurity breach, will I be fired?”

As we all know, cybersecurity is everybody’s responsibility, not just the CISO who is in charge of cybersecurity. For many years, cybersecurity has been ignored as evidenced with the high number of security breaches, which leads to the comment that we hear very often from the C-Suite: “Are we safe?” This loaded question is ridiculous from where we sit, as it will evoke a loaded answer from any CISO. Trying to determine if a company is “safe” from cyber-attacks has so many variables and components that nobody could really quantify that level of protection a company really has without lots of metrics and Power Point slides.  

I saw a recent commercial for a Sleep Number bed on television talking about “what is your Sleep Number*?” I thought about the sleep number and it made me think of, “What is your Risk Number?” As a CISO, you should have an enterprise risk statement that defines what the company’s risk appetite is, and how granular cybersecurity needs to be. Without it, you are flying blind and will most likely end up leaving your post out of frustration.

Without having this number, how do you know what is the right amount of staff, budget, and resources to sustain a cybersecurity program outside of the typical metrics we use to measure and quantify cybersecurity through metrics such as resource loading?

As the CISO for your company, you might want a rigid cybersecurity program with a high amount of formality and standards, yet the C-Suite and Board of Directors may only care if the cybersecurity program is “good enough” in order to accommodate the business and rely on a cybersecurity insurance policy as a backup plan. The Board of Directors may want a risk number of 3.5, but you think the company should be 8.5 as a risk number. This is the defining line that will dictate how long a CISO will last in a company, because the risk level has not been defined.

At the end of the day, we are risk managers functioning as CISOs within companies and many CISOs have mismatched risk levels. When a CIO is most likely hiring a CISO, the CIO does not know what they are getting and have to go through a vetting process to hopefully qualify the CISO candidate and determine if this CISO is a “hard-ass” or a happy-go-lucky CISO candidate. Knowing the risk number of an individual to the enterprise will help clarify and properly communicate mutual expectations for a more harmonious relationship within the C-Suite and reduce the risk of being perceived as the “anti-business” CISO.

[ ALSO ON CSO: How to manage cyber risk ]

The CISO can guide this process to determine what the enterprise risk number should be, but you should never determine the number on your own, because you may be misaligned with the C-Suite. When a collaborative process is followed in the C-Suite, the risk number will determine how you will successfully run your department and manage resources.

Sample industries of what a customary “risk number” may look like:

  • Paper Manufacturing-2.5
  • Pet Care-3.5
  • Hospitality/Hotel Services-7.0
  • Utilities-6.25
  • Aerospace-8.0
  • Higher Education-6.0
  • Payment Processor-8.5
  • Cloud Service Provider-7.5
  • Car Manufacturer-6.75
  • Retail Industry-7.5
  • US Military-10.0
  • Financial Institutions (Big Banks)-10.0

We have been discussing the overall enterprise risk number, but risk varies within an enterprise. For instance, a “sub-risk number” would be a rating of a 3 for the shipping department, but a 9.0 for the CFOs’ finance department. Every company will have different overall enterprise risk numbers as well as sub-risk numbers to properly apply the right amount of cybersecurity controls without suffocating the entire business.

Imagine a heat risk map for your entire company. Some parts of the company need very strong cybersecurity controls and other parts may only need the bare minimum of cybersecurity. You typically would never take a “one-size-fits-all” approach to cybersecurity and apply the same amount of cybersecurity for the entire enterprise.

Sample “sub-risk number” within a company based on function:

  • C-Suite Officers-8.5
  • Contact Center-6.0
  • IT/Engineering-7.5
  • Warehouse-2.75
  • Operations-3.0
  • Front Desk/Reception Area-2.5

What is your Risk Number? It should be determined by the type of industry your company is in, size of company, what is at risk, what type of data to protect, intellectual property, financial systems, what your senior executive leadership team desires, and what is the overall risk appetite defined by the senior executive leadership team.

*Sleep Number is a registered Trademark

Special thanks to Mansur Hasib (Author of Cybersecurity Leadership: Powering the Modern Organization) for peer review.


Todd Bell has become an international expert and leading speaker on preventing security breaches for new start-ups to Global Fortune 500 companies. As a CIO & CISO, Todd has made a global impact for safeguarding millions of consumers information around the globe by building new cyber programs to maturing existing programs.

Todd is also the architect & inventor of the Bell Security Enterprise Security Architecture method that streamlines cybersecurity controls as a virtual overlay onto an existing flat network architecture without having to move any existing systems, saving thousands of dollars and accelerates data protection with a low cybersecurity budget. The method is based on zero-trust model and adapted to co-exist with malware in an untrusted internal corporate network.

Todd is also the creator of "What Is Your Risk Number" to properly assign cybersecurity risk ratings that vary within an enterprise to have the balance of business needs and having proper cybersecurity controls.

The opinions expressed in this blog are those of Todd Bell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author