7 risk management mistakes CISOs still make – Source: www.csoonline.com

CISOs know risk management is essential for building and maintaining a resilient enterprise security posture. Yet despite their best efforts and good intentions, many security leaders continue to fall into common traps that undermine their best efforts.

Regardless of your enterprise’s size, mission, or scope, risk management plays a bedrock role in its overall security posture. Making even a seemingly simple mistake can lead to severe consequences. And the CISO will inevitably be blamed.

Here’s a rundown of top risk management mistakes CISOs still make, and how to avoid them.

1. Lacking a defined objective

Perhaps the biggest risk management mistake CISOs make is failing to create a well-defined program objective, says Kristi Preuss, a principal in business advisory firm Deloitte’s cyber practice.

Preuss observes that many CISOs find themselves facing myriad ongoing issues and daily fires. As a result, they never leave firefighting mode long enough to develop, much less successfully execute, a broader information security strategy. “Instead, many CISOs find themselves in the weeds from day one, trying to tackle everything at once, often with only legacy tools and limited resources,” she says.

When a CISO is enmeshed within a reactive and operational approach, enterprise strategy suffers, and enterprise security controls struggle to keep pace and move beyond the current threat landscape. “With out-of-date or ill-defined program targets, limited strategic investments, and an absence of innovative, strategic planning, CISOs do their organizations a disservice and ultimately increase information security and cyber risk,” Preuss says.

Preuss says the path to success for CISOs looking to get out of the quagmire and back into strategic leadership with a proactive security approach is to deploy routinized operational risk processes. She also advises limiting the amount of time key team members spend on routine tasks that can be easily handled by less critical individuals.

2. Overdoing security and risk assessments

Many CISOs build overly control-oriented security and risk programs that can lead to conducting risk assessments almost continuously, always trying to find new issues to mitigate, warns Nick Godfrey, senior director and global head, office of the CISO, at Google Cloud.

“While conducting a risk assessment can initially be useful in mitigating risks, it becomes unproductive in the long term, initiating a relentless cycle that results in disproportionate costs and missed opportunities where resources could be better invested elsewhere,” he says.

Godfrey notes that it’s normal for CISOs to want to address every possible risk their organization may face, often under pressure from a board that drives security leaders to be overly cautious. “This leads to building risk programs that are ‘hard-coded,’ in which the only approach is to prioritize constant risk assessments and mitigation,” he says.

Such a reactive mindset can overshadow the need for a more strategic approach that considers the possible people, product, and financial impact of risk. And there are psychological aspects that can make individuals or teams bad at risk assessment as well.

The correct approach to risk management is a holistic one that maintains an appropriate level of risk without continuous mitigation work so that resources can be reallocated based on which areas need more attention, Godfrey says.

“Organizations with the best security posture go beyond maintaining low risk and spend additional time improving efficiencies and capabilities that reduce risk,” he says.

Godfrey suggests optimizing the arrangement of risk controls to reduce the number of controls needed, automating activities to reduce maintenance and administrative toil, and improving the customer experience with strong fraud prevention methods.

3. Failing to establish a true security culture

Culture is an amalgamation of beliefs, values, and behaviors, so it follows that a cybersecurity culture is primarily driven by the people within the organization. The best way to build such a culture is to demonstrate it in practice, not just in aspirational mission statements or fancy presentations, says Sourya Biswas, technical director of risk management and governance at cyber security and managed services firm NCC Group.

“An enterprise that observes the right security beliefs, shares the right security values, and incentivizes the right security behaviors can build the right enterprise-wide cybersecurity culture,” he states. “Without the right culture, the best of security strategies will fail.”

Since a cybersecurity culture is primarily driven by people, it should be demonstrated by the senior-most people within the organizational hierarchy, Biswas says. “In other words, it shouldn’t be the responsibility of the security organization, but the entire C-suite and board of directors.” He believes that the “tone at the top” is critical to fostering a meaningful cybersecurity culture. If employees see that leadership doesn’t follow what they preach, they will likely do the same.

“Ultimately, everyone in the organization has a responsibility for fostering a cybersecurity culture,” he says.

4. Believing their security is more rock solid than it is

The biggest error CISOs make is thinking they’ve obtained complete control — relying on their security plans and placing confidence in a collection of industry certifications to safeguard their business from cyberthreats, says Howard Taylor, CISO at cybersecurity technology provider Radware. Cybersecurity is complex and constantly evolving, he observes. There are always new attackers, new approaches, or reboots of old attacks with a new twist. “Remaining vigilant and prepared is the only way to truly manage risk.”

Cybersecurity needs change over time. “If you’re not regularly improving and verifying your control environment, you’ll find your business unprotected,” Taylor warns. The threat landscape is in a constant state of flux, and security solutions that may have been regarded as strong when first implemented will become weaker over time. “Taking your eye off the ball, even for a short time, can be tremendously costly.”

Worse yet, CISOs often make decisions based on a false sense of security, Taylor says. They spend so much money and time improving cybersecurity defenses and training their teams that they believe that anything less than full protection is impossible.

“In reality, the only real answer to the question ‘Are we secure?’ should be the same every time — a resounding ‘no,’” he says.

5. Having a checkbox mentality

CISOs often focus on ensuring compliance with regulations and standards, rather than assessing and managing the actual risks to their organizations, says Jeff Orr, director of research for digital technology with technology research and advisory firm ISG.

“This might stem from a belief that compliance equates security,” he says, adding that this can lead to a checkbox mentality, with the organization fixating on regulatory requirements and neglecting to evaluate and mitigate real-world threats. “As a result, vulnerabilities may persist, leading to breaches and data loss that could have been prevented by using a more strategic, risk-based approach.”

CISOs, over time, may become complacent, relying on established security protocols without reassessing their effectiveness or adapting to new risks, Orr says. “A reactive, ‘whack-a-mole’ approach isn’t sustainable and can result in outdated security policies and controls that don’t address current threats.”

6. Failing to establish effective metrics and governance models

Erez Tadmor, field CTO with security policy company Tufin, advises CISOs to balance their security tools with strong, ongoing measurement and governance models. “CISOs can significantly strengthen their organization’s security posture by prioritizing the development and regular review of these frameworks,” he states.

Effective metrics and governance models will help ensure security policies are consistently aligned with regulatory requirements, industry best practices, and an organization’s specific needs. “Having clear and constant visibility allows teams to identify misconfigurations in infrastructure before they can lead to breaches,” Tadmor says. “Without strong metrics and governance, it becomes challenging to measure the success of security initiatives and maintain up-to-date, effective policies.”

7. Failing to create a strong operational resiliency plan

An operational resiliency plan looks at the big picture, encompassing an enterprise’s entire ecosystem and showing how to maintain business operations during disruptive events, says Jim Doggett, CISO at security technology provider Semperis. “By prioritizing operational resilience, CISOs can balance the need to protect against critical security risks with business continuity management.”

With careful planning, organizations can limit disruptions, recover faster, and reduce the impact on their bottom-line if breached, Doggett says. “Without an operational resiliency plan in place, your entire ecosystem, including suppliers, partners, and vendors, are at risk.”

On the downside, operational resilience efforts tend to fail when an enterprise is internally disconnected. “As leaders of their organization, CISOs are responsible for driving security initiatives, but operational resilience requires organization-wide participation,” Doggett says. “You can’t simply leave it to a single department or team — everyone needs to be involved.”