As I’ve written, researched, and spoken to experts about cybersecurity over the past three years, I’ve come to believe that my comparison of portfolios of cybersecurity products and financial investments is stronger than I initially realized. Just as you would speak to a financial advisor about the investments in your retirement plan, a cybersecurity portfolio can be viewed as a series of investments that involve varying degrees of risk. And just as with money, in cybersecurity, every person and every business will have different levels of risk tolerance.
Paul Calatayud, Palo Alto Networks Chief Security Officer, Americas
Palo Alto NetworksRecently, I had the opportunity to speak with Paul Calatayud (Palo Alto Networks Chief Security Officer, Americas). Our conversation (soon available in full on Early Adopter Research) began with a fascinating discussion about risk in general and risk tolerance specifically for companies as they approach their cybersecurity portfolios. Calatayud made a compelling argument that one of the major roles CISOs need to start playing within enterprises is that of risk advisor. CISOs do not have to be the proverbial naysayer to everything the business wants to do, but they need a way to explain risk, and, more importantly, make everyone else in the business comfortable with it. Cybersecurity can never reach a state of 100% protection. There will always be tradeoffs. Therefore, CISOs need to help individuals in their companies understand this reality so that informed decisions can be made to guide the business forward.
Aligning with the Business
Often, CISOs may have a reputation for being the harried worriers, whose concerns about cybersecurity threats prevent the company from achieving its more ambitious business objectives. This doesn’t have to be the case — and in fact, shouldn’t be. CISOs should align with the company’s overall business objectives as they assess risk and weigh the pros and cons of any move.
“When a CISO is assessing threats, that assessment must start with business alignment and an understanding of what drives the business,” Catalayud said. “The goal is not to inhibit innovation within the organization. A CISO should not think of his or her role as the gatekeepers of innovation, the sole person who owns risk in the business. Otherwise, their position becomes very challenging. A CISO’s job is to be a trusted advisor, with the goal of effectively communicating risk to the business so they can make an informed decision. Once they make an informed decision, the CISO’s job is to execute against that risk tolerance.”
From Catalayud’s perspective, it does not make sense to have a CISO be the only person in an organization who is responsible for risk. Just as in an investment portfolio, risk must be spread around between departments and people. CISOs should provide advice on those risks, but not ultimately be the people who alone decide whether risks are worth taking.
He advocates a two-step approach to ensuring wide buy-in on risk across the business:
- Define the company’s overall risk tolerance
- Serve in an operational role to manage decisions based on that risk tolerance
The goal with this approach isn’t to prevent the company from innovating but rather to make those who want to innovate responsible for their decisions and the risks that come with them. This can only occur once a company-wide cultural understanding of risk is embraced.
Helping to Build a Culture of Understanding
Once a company has outlined the risk tolerance it is willing to accept, to get further cultural buy-in and ensure everyone is responsible for their own decisions, Catalayud recommends that CISOs implement a system to document how decisions are made. “The CISO has a fundamental role in being an objective observer of decisions and allowing for the board of directors and executive management to see what’s occurring when it comes to these risk decisions. In other words, you can’t be effective by simply saying to a business, 'You’re in charge of risk and my job is to advise,' if you don’t also document decisions and create accountability,” he said.
Essentially, the CISO needs to make very clear what his or her advice on an initiative is and document that advice, leaving no doubt in anybody’s mind that the issue has been explained clearly. Then it's up to individual decision-makers in the business to choose their own course based on that advice. This helps to take the emotion out of decisions.
To build such a culture, Catalayud said CISOs must first identify the key decision-makers in the company. These are the people who can really say which risks are acceptable and which are not. He recommended categorizing risk by type — from legal to compliance to technology to operations — and then finding decisions makers in each of these areas. From there, he recommended building a risk committee of these decision makers so that assessing what risks to take on can be done in a uniform way.
“The whole idea is that I’m going to start to identify certain types of risk — operations, privacy, availability — and now I’ve identified the key stakeholders who are essentially my customers who I’m going to communicate the results of risk identification. They’re going to say I either accept it or I don’t and if they don’t, I come to them with a plan,” Catalayud said. “Now I’m aligning with the business and I’m going to execute on investments and develop metrics around the health of those investments against a key risk. The goal is to reduce that risk to an acceptable tolerance."
"That’s something organizations sometimes don’t understand," Catalayud said. "The job of CISO isn’t to make the risk of data loss, for example, go away. It's to assess the risk appetite and say to the organization, I can spend $1 million dollars or $50 million dollars to make this data protected. What is your risk tolerance around this data? And then I operationalize the program."
Catalayud compared the role of a CISO to that of law enforcement. Just as radar enforcement, stop signs, and driver’s education make people aware of the rules of the road, a CISO needs to make sure decision-makers know the policies the company wants to follow and then assess whether everyone is doing so.
And he said the only way to truly ensure that such an effort is effective is to rely on extensive metrics and data that document performance compared to these objectives. Whether it’s the time to respond to an incident or the number of times employees have violated a policy, metrics are a CISOs friend.
“I love positioning a cybersecurity program around metrics because it’s unemotional when I need budget. If I tell you that it takes my current team 138 days to identify an insider threat and protect and mitigate the company from that incident and they’re telling me their biggest risk is insider threat and stolen intellectual property, the board and the executives are immediately going to say, what is it going to take to go from 140 days to 3 days? And my program should be measuring whether I’m successful in meeting that commitment. And if I’m not successful, I should be communicating to executive staff where the program is deficient. Is it people, process and technology? Do I have enough people to respond? Do I have technology giving me insight into whether or not incidents are getting a response? A lot of times executives are unsure about what success looks like for the million dollars that's put into the cybersecurity program. The answer shouldn’t be that ambiguous,” Catalayud said.
Catalayud’s paradigm of sharing ownership of risk in an organization, categorizing risks, and forming a committee to make decisions about risk tolerance appeals to me. With such an approach, everyone in the business has buy-in to risk and CISOs are not blamed for impeding progress. The company can identify the highest, medium, and lowest risks and then measure their risk appetite with regard to those risks. It makes the process of risk management rational and less emotional, which can only lead to better outcomes.
