What is your risk number?

A few weeks ago, a new acquaintance made a cynical joke about the CISO being the person to blame and fire when a cybersecurity breach occurs in a company. While I privately grinned in dismay about the comment, there is some truth to the statement. It reminds me of a very critical question every CISO job candidate must ask during a job interview: “If the company has a cybersecurity breach, will I be fired?”

As we all know, cybersecurity is everybody’s responsibility, not just the CISO who is in charge of cybersecurity. For many years, cybersecurity has been ignored as evidenced with the high number of security breaches, which leads to the comment that we hear very often from the C-Suite: “Are we safe?” This loaded question is ridiculous from where we sit, as it will evoke a loaded answer from any CISO. Trying to determine if a company is “safe” from cyber-attacks has so many variables and components that nobody could really quantify that level of protection a company really has without lots of metrics and Power Point slides.  

I saw a recent commercial for a Sleep Number bed on television talking about “what is your Sleep Number^*?” I thought about the sleep number and it made me think of, “What is your Risk Number?” As a CISO, you should have an enterprise risk statement that defines what the company’s risk appetite is, and how granular cybersecurity needs to be. Without it, you are flying blind and will most likely end up leaving your post out of frustration.

Without having this number, how do you know what is the right amount of staff, budget, and resources to sustain a cybersecurity program outside of the typical metrics we use to measure and quantify cybersecurity through metrics such as resource loading?

As the CISO for your company, you might want a rigid cybersecurity program with a high amount of formality and standards, yet the C-Suite and Board of Directors may only care if the cybersecurity program is “good enough” in order to accommodate the business and rely on a cybersecurity insurance policy as a backup plan. The Board of Directors may want a risk number of 3.5, but you think the company should be 8.5 as a risk number. This is the defining line that will dictate how long a CISO will last in a company, because the risk level has not been defined.

At the end of the day, we are risk managers functioning as CISOs within companies and many CISOs have mismatched risk levels. When a CIO is most likely hiring a CISO, the CIO does not know what they are getting and have to go through a vetting process to hopefully qualify the CISO candidate and determine if this CISO is a “hard-ass” or a happy-go-lucky CISO candidate. Knowing the risk number of an individual to the enterprise will help clarify and properly communicate mutual expectations for a more harmonious relationship within the C-Suite and reduce the risk of being perceived as the “anti-business” CISO.

[ ALSO ON CSO: How to manage cyber risk ]

The CISO can guide this process to determine what the enterprise risk number should be, but you should never determine the number on your own, because you may be misaligned with the C-Suite. When a collaborative process is followed in the C-Suite, the risk number will determine how you will successfully run your department and manage resources.

Sample industries of what a customary “risk number” may look like:

• Paper Manufacturing-2.5
• Pet Care-3.5
• Hospitality/Hotel Services-7.0
• Utilities-6.25
• Aerospace-8.0
• Higher Education-6.0
• Payment Processor-8.5
• Cloud Service Provider-7.5
• Car Manufacturer-6.75
• Retail Industry-7.5
• US Military-10.0
• Financial Institutions (Big Banks)-10.0

We have been discussing the overall enterprise risk number, but risk varies within an enterprise. For instance, a “sub-risk number” would be a rating of a 3 for the shipping department, but a 9.0 for the CFOs’ finance department. Every company will have different overall enterprise risk numbers as well as sub-risk numbers to properly apply the right amount of cybersecurity controls without suffocating the entire business.

Imagine a heat risk map for your entire company. Some parts of the company need very strong cybersecurity controls and other parts may only need the bare minimum of cybersecurity. You typically would never take a “one-size-fits-all” approach to cybersecurity and apply the same amount of cybersecurity for the entire enterprise.

Sample “sub-risk number” within a company based on function:

• C-Suite Officers-8.5
• Contact Center-6.0
• IT/Engineering-7.5
• Warehouse-2.75
• Operations-3.0
• Front Desk/Reception Area-2.5

What is your Risk Number? It should be determined by the type of industry your company is in, size of company, what is at risk, what type of data to protect, intellectual property, financial systems, what your senior executive leadership team desires, and what is the overall risk appetite defined by the senior executive leadership team.

*Sleep Number is a registered Trademark

Special thanks to Mansur Hasib (Author of Cybersecurity Leadership: Powering the Modern Organization) for peer review.