6 steps to getting risk acceptance right

Cybersecurity and risk expert David Wilkinson has heard some executives put off discussions about risk acceptance, saying they don’t have any appetite or tolerance for risk.

“But every organization has to have some level of risk acceptance,” says Wilkinson, senior managing partner with The Bellwether Group, a firm providing security and risk services. Otherwise, they’d be unable to function.

Yet there are indicators that many CISOs aren’t having productive conversations around risk acceptance.

According to Gartner research, only 66% of CISOs identified as top performers collaborate with senior business decision-makers to define their organization’s risk appetite. (The number drops to only 37% of CISOs identified by Gartner as “bottom performers.”)

Yet CISOs should be driving those conversations, says security consultant Frank Kim, because understanding risk and, more specifically, identifying the amount of risk an organization is comfortable accepting should inform the cybersecurity strategy.

Such conversations also identify what risks the organization wants to avoid, which it wants to transfer, and which it should mitigate—all of which also should drive the CISO agenda.

“It’s knowing what risks you’ll take and which you can’t,” says Kim, founder of ThinkSec, a security consulting and CISO advisory firm, as well as a SANS Fellow and lead for the SANS Cybersecurity Leadership and SANS Cloud Security curricula.

Here are key elements offered by experts to help CISOs get risk acceptance right:

Know what’s most important to your organization

The CISO must understand which risks pose what concerns to have informed conversations about the risks the organization is willing to accept. And to do that, they must fully understand their organization’s technology, data, and processes as well as the business functions and outcomes they’re seeking to protect, says Jon Baker, co-founder and acting director of research and development of MITRE Engenuity’s Center for Threat-Informed Defense.

“Understanding the foundation is really about understanding the systems, the sort of information that’s processed, and the impact of those to your organization,” he explains. “Then it’s about understanding the threat landscape, the threats that you as an organization care about, and the controls you have in place to manage those risks.”

The CISOs with that big picture perspective are best positioned to identify which risks pose the biggest threats to the organization’s ability to perform and transact. Thus, they can have more productive conversations around which risks the organization can live with—and which they can’t.

“You have a sense of what’s most important to the organization, and then you can have the conversations about where the cyber risk is and what the impact is,” Kim says.

Analyze, communicate risks with a business lens

Kim stresses what CISOs have been hearing for years: that they should put cyber risks into business context.

“Understand the issues that could disrupt business operations,” he says.

Not all cyber threats pose an equal risk; on the other hand, each cyber threat can inflict varying damage, says Jon France, CISO at (ISC)², a cybersecurity training and certification association.

For example, the impact of an attack that takes out, say, a vending machine system is less concerning than the impact of that same type of attack on a mission-critical system dealing with life and limb, such as one supporting medical equipment.

As such, CISOs need to understand, rank, and communicate cyberthreats not only on their impact to enterprise technology but to the business functions. That way they and their C-suite colleagues can delineate which risks they want to avoid, transfer, mitigate, and accept based on enterprise considerations (i.e., costs, mission, compliance requirements, etc.)

As France summarizes: “You can’t choose to accept a risk if you don’t understand it in the context of your business.”

Engage the business on risk acceptance

Although CISOs should put cyber risks into business context, they should not be the ones to determine which risks the organization wants to avoid, transfer, mitigate or accept.

“The CISO will help set the risk levels but is not the one who should approve them,” says Wilkinson, an adjunct professor of cybersecurity and risk management at Boston College.

He says that task should fall to the executives who own the business areas impacted by the risk; as such, CISOs need to engage those colleagues in risk-related discussions and together come to a consensus on the level of cyber risk each one is willing to accept in his or her functional area.

“Then it needs to be debated all the way up through the risk committee and then the board, who can sign off on it,” he adds.

But Wilkinson says such conversations often don’t happen.

“CISOs always tell me that business engagement is the secret sauce that’s missing, and yet it’s absolutely critical,” he adds.

Additionally, experts say organizations should articulate and quantify their approach to risk management as part of these discussions.

Kim notes that organizations with mature risk management programs have a risk appetite statement that describes the types of risks, and in what amounts, the organization will accept. They also often use methods to quantify and rank risks, so they know when a risk moves from being acceptable to requiring action.

Security exec Pam Nigro agrees, pointing to the Factor Analysis of Information Risk (FAIR) as one methodology that CISOs can use to quantify and manage risk within their organization.

“When you have, for example, 20 critical risks, this helps explain what they mean to someone who doesn’t live and breathe security every day,” says Nigro, vice president of security at Medecision, board vice chair of the governance association ISACA, and a Lewis University adjunct professor in information security, risk, compliance and IT governance.

Let the business own the risk, but remain partners in managing it

Because setting risk acceptance is a business exercise, experts say management and ownership of it should rest with the roles or teams responsible for the functions, services, or products impacted by the risk, says Jermaine M. Stanley, board director for One in Tech, an ISACA foundation, and vice president of the Greater Washington, D.C., ISACA chapter.

“You have to have management’s commitment to risk assessment and risk management. You have to make sure there’s an understanding that the people who are involved in the organization understand who is responsible for risk acceptance,” Stanley says. “Those could be business executives of the business units, but not the CISO. The CISO is responsible for security of the organization. The business executives or GMs or president, those folks need to be on the hook and be accountable for the risk in their business lines or their processes or their products.”

That doesn’t mean CISOs can walk away from the task, he and other experts add.

“It’s not just saying, ‘Here’s the risk, accept it.’ You can’t just throw it over the wall and say it’s their problem. It’s a partnership,” Nigro says. “Security needs to be engaged and really serve the organization, so we’re working together to keep the organization safe. Security has to be that partner that pulls things together.”

Employ frameworks, tools to support risk management

Stanley advises CISOs and their colleagues to use a risk management methodology, such as FAIR, to direct, manage, and track these activities.

“You have to identify your risks against your assets, you have to assess your risks, rate them [for example, as] low, medium/moderate, or high impact, and then when we talk about the impact, there’s the threat and the likelihood that it could occur within 12 to 18 months, so you know whether you want to prioritize a risk,” he says. “What all this does is help [enterprise leadership] make decisions on where to allocate resources, and that gets into business budgeting and strategy.”

He adds: “That’s why a risk management methodology is foundational to risk assessment.”

Stanley also recommends the use of enterprise risk management technologies and/or governance, risk and compliance (GRC) tools as well as a risk register; he says these help identify and track risks as they evolve and as market and enterprise conditions change. That then helps organizations identify when accepted risks move to unacceptable or vice versa.

Revisit and re-evaluate risk acceptance

Stanley, who is also a security and compliance subject matter expert at software company Proofpoint, says he and his colleagues have an automatic annual review of the organization’s risk acceptance, explaining it as an opportunity to “adjust the dial.”

He and others stress the need for CISOs and their organizations to evaluate their appetite for risk, and with it their risk acceptance levels, on a regular basis—annually or more often, as changing circumstances might require.

“Risk acceptance is one part of the risk management process, and its review [should be tied] to how often a business recalibrates what it does. So whenever there’s a material change to the business, a different strategy or acquisition or merger, it needs to be revisited,” Kim says.

“But [CISOs] should do that daily or weekly, too, by asking questions. Security often gets mired in the day-to-day, and we’re not always in touch with the business. But just like the business regularly reevaluates itself daily or regularly, CISOs, too, need to continually stay in touch with business to understand how risk should be accepted or not. Ideally, we want to strive to get to a place where we’re continually understanding that and how we need to change our approach.”