In evolution, the form of the crab is very popular - it has taken place at least five times across ‘decapod crustaceans’ in different locations and under different pressures. It even has its own scientific term - carcinisation. The idea here is that “crabbiness” must provide some advantages for creatures, so those that take up these characteristics are more likely to survive in their environments.. 

While it might be a glib joke to suggest that CISOs are crabby, there is a trend taking place around how CISOs approach risk as well. In conversations, CISOs tell me they have to focus on two points - how to improve the position of security within the business, and how they can work with their peers on risk reduction. These requirements force them to evolve their processes, as the old methods are not effective. However, the biggest challenge is that many CISOs also think they are alone in this journey, and they have to evolve their own approach around risk. Yet - just like crabs have evolved multiple times from different points - these CISOs are going through the same thought processes, and some common themes are already developing.

Measurement and management

In dealing with high-risk environments, just being able to measure the impact of your actions and the results that you achieve is a significant step forward. Peter Drucker may never have said, “You can’t manage what you can’t measure”, but this line is still true. Measurement is how the business understands the impact that decisions have, and how the organisation then responds to changes in the environment. 

There are things within IT security that are very hard to definitively measure, like the potential cost of a single CVE or a missed configuration change. However, just because something is hard does not mean that it should not be attempted, iterated and improved upon. Can you imagine a civil engineer saying they don’t measure because it’s too hard, they don’t have the data, or there are not enough resources? It would be the definition of criminal, because the stakes are too high if they get it wrong.  

While CISOs lead their team to put out the myriad fires that exist, this lack of standardised measurement means that they remain stuck in that approach. Without the right data that the rest of the business can understand, CISOs can’t make those recommendations for later changes. Put in evolutionary terms, managing risk more effectively leads to a more successful business. More successful businesses create more value, and therefore they can thrive in the market.

Evolving faster

Charles Darwin’s most famous quote from The Origin of Species is, “It is not the strongest of the species that survives, not the most intelligent that survives. It is the one that is the most adaptable to change.” Evolution therefore forces change and adaptability. Today’s CISOs face more rapid change in their companies and in their markets - following hot on the heels of digital transformation and the reaction to the pandemic, the advent of generative AI and the expansion of cloud-native deployments are all forcing CISOs to make changes in their approach. 

AI will make threat actors more competent and more efficient. Within businesses, it will support more change and faster development with AI tools. CISOs themselves can use AI, and encourage use of AI for security. But AI will not take over or relieve you of the jobs of thinking, reasoning, and forecasting around security. It will make the job of working with data easier, as long as you have the data and measurement that you need in the first place.

Rather than managing your team to reduce the number of risks you face, the job for the CISO will be around true problem definition, then using risk modeling, analysis and automation to tackle those problems before they have a material impact. While AI can help, it will be the CISO that is responsible for the assumptions that go into the model. 

In order to evolve here, CISOs will spend more time on defining what are the most plausible threats targeting the organisation and how they put value at risk. This will be based on financial modelling around those risks and what impact they can have, which will mean more communication with peers that are also involved in risk. For example, the CFO will have their own view of risk and impact on business operations across IT and non-tech areas. The legal team will view risk from a compliance standpoint, and how any issue could lead to fines for non-compliant business processes. 

For the CISO, getting that consistent view of risk across the business will make evolution around security easier. From a controls point of view, it demonstrates the value that technical programmes like patching or mitigation have, and why they demand more investment. You can then look at the potential cost for any residual risk then price your approach to cyber insurance and risk transfer as well. The important element here is to get to the Goldilocks zone of ‘not too much and not too little, but just right.’ 

Making risk operational

AS CISOs want to improve their approach to risk, they can work with their internal peers like the CFO and General Counsel on how to bring together finance, compliance and IT security so they are not alone on the journey. The goal here is to ensure that there is zero daylight between the practice of security and risk measurement and management. 

CISOs had to build and develop the security operations centre (SOC) for their IT security in previous decades, bringing together people, process and technology to operate effectively. The new paradigm of building a risk operations centre (ROC) follows the same model around the wider risk conversation, so that these decisions can be made effectively. While the ROC is based on measurement, the aim is to automate how risk gets eliminated through remediation, mitigation, and/or risk transfer.

This approach will rely on data, and many CISOs already have data lakes to gather all this information. The big challenge here is not data gathering, but using that security telemetry for analysis. From a data quality perspective, it involves normalising data from multiple sources, rationalising those risk scores, and considering all the compensating controls that are in place to reduce risk. As new threat intelligence data comes in, it enters the pipeline and calculates the potential risk in context alongside other new and ongoing risk efforts. This should not be viewed as creating another “single pane of glass”, but delivering a single operational process to make decisions on how best to protect business value. 

Whether this approach will succeed or fail will depend on your assumptions about value-at-risk, plausible future loss, and how you manage that transfer of residual risk. Like a crab, CISOs have to evolve the right approach for them within their organisation. They should want the flexibility to respond fast and ensure their bases are covered. The long term challenge - and where we will all evolve to - is how to automate this process so that risk can be managed more efficiently, while the business can create more value.

Join peers following The Stack on LinkedIn

  

The link has been copied!