Lessons from my CISO – Owning Risk

My current CISO has opened my eyes beyond the technical aspects of security and taught me a lot about managing security. And by security, of course I mean risk, because like it or not, security is all about risk.

Every IT and security team I’d been in previously had treated InfoSec at gatekeepers, as IT police, as people who needed to rubber stamp things as being an acceptable risk. He changed that approach.

Once Security ACCEPT risk, they OWN that risk and frankly, why should security be the arbiters of other people’s business decisions, others probably understand the business needs and risk appetite of their bit of the business better than security do and frankly if they can transfer some of the risk to security (“hey, we asked, you said it was ok, you are the experts after all“) why wouldn’t they?

The approach our CISO took was first lay down a really solid set of security policies (authentication, logging, backups, vulnerability remediation, etc) which as we’re in a highly regulated industry wasn’t hard. He then did away with the concept of “risk acceptance” by security and replaced it was the idea of “policy exception”, where the exception must be approved by technical business leaders, rather than security

This has multiple benefits, firstly for run of the mill stuff, it reduces friction, if projects follow our policies, they don’t need to involve security at all. When projects have portions that fall outside the policies, then need to be understood and agreed, not by security people who may only understand or appreciate the technical risk but by a mix of technical and business heads. Finally it means the other business units are thinking about risk more when it’s their name on the risk register, not security’s; it changes their approach to risk.

We still run detective controls to spot out of policy stuff, but generally it’s allow projects to run faster, with less blocking by security and more appreciation of risk from teams outside of security

Leave a comment

Your email address will not be published.