Measuring and articulating cyber and technology risk to senior leadership is critical.
CIOs are responsible for organisational security and must balance business growth while ensuring security and protection. They can do this by taking the following steps:
Develop a defensible security programme
CIOs must understand the characteristics of what “good” looks like and build a continuous security program that can be defended and ensures a balance between protection and business operations. Implementing a program to only meet a compliance requirement is not an effective approach. Time and effort must be put into developing effective governance and effective risk management.
For a security programme to be considered defensible, it must:
- Have a clear mandate from executive leadership.
- Establish and enforce owner accountability.
- Invest in risk assessment capability.
- Follow accepted standards.
- Be clearly linked to the business context of the organisation.
- Focus on continuous improvement.
- Be agile enough to respond fast to changing threats and scenarios.
- Support formal, repeatable security processes.
- Deliver accepted levels of infrastructure protection, application and data security.
- Focus on business continuity and resilience.
- Provide training and guidance to drive secure employee behaviour.
Adopt operating models for IT risk and cybersecurity management
Risk identification, implementation of adequate preventative measures and incident response are critical parts of building a strong security operation model. A good security operating model utilises a risk-based approach to identify and prioritise security projects and investments. It is a collaborative process focused on continuous improvement.
Segregation of duties and oversight are a minimum requirement for any adopted model. Adopting a model like the three lines of defence (see Figure 1) provides the requisite segregation.
Figure 1: The Three Lines of Defence
Source: Gartner (June 2023)
CIOs responsible for security and risk will be actively involved in the first and second lines of defence, while internal audit provides the third and final line of defence, assuring that the controls are deployed and as effective as expected. Establishing strong working relationships with the stakeholders responsible for the second and third lines of defence will reduce friction, lead to better teamwork and make it easier to embed a culture of everyone in the organisation making good risk and security decisions.
In addition to a risk governance model, CIOs need to align their cybersecurity programme with a known cybersecurity framework. This helps provide defensibility for security actions.
How to communicate risk and security posture
Developing a strong security program contributes to the building of trust between the CIO and the senior leadership. Trust and resilience are embodied in security and business outcomes. These outcomes are addressed by a set of controls that are consistent, adequate, reasonable and effective.
To reflect on how well their organisation is protected, not how it is protected, CIOs can use outcome-driven metrics (ODM) which guide security investment as well protection-level agreements (PLAs). PLAs identify how much risk business stakeholders are willing to accept within their areas of control.
Once the necessary metrics are in place, CIOs need to document, manage, and communicate cyber- and IT-related risks to business leaders on an ongoing basis. Using a risk register allows for ongoing risk evaluation and documentation of risk acceptance. The executive/board ultimately makes the risk acceptance decisions, and the CIO needs to work within the given parameters.
