How to ensure cybersecurity strategies align with the company’s risk tolerance

Aligning an organization’s appetite for risk with cybersecurity strategies is a critical challenge CISOs face, one that requires balancing technical controls and business needs. Achieving that balance demands a capacity to adapt to changing risk environments. But as the CrowdStrike outage showed, well-prepared systems can encounter unforeseen issues, highlighting why cybersecurity strategies need to consider the broader implications of the organization’s risk tolerance.

In many cases, it requires direction from the board, but this is by no means a given. While managing organizational risk falls squarely within the purview of the board, 85% of CISOs believe the board should offer clear guidance on organization’s risk tolerance for them to act on, according to the IANS State of the CISO 2024 Benchmark Report. However, just 36% are being given this direction, despite regular, recurring board access offering CISOs more confidence in alignment between the company’s risk profile and the security mandate.

“The people who have more face time and stronger relationships with the board and executive leadership have a sense of where the organization is in terms of risk and what it takes to build a good security program,” says Wolfgang Goerlich, IANS faculty member.

When CISOs are left out of board-level conversations, the opposite is true. “The further we are from the executive conversations, the less dialed in the risk tolerance can be and the less business focused our treatment plans can be,” Goerlich says.

Without regular board engagement, CISOs need to adopt a different strategy and guide the conversation, lay down the parameters and take feedback on their programs, according to Goerlich. He argues that peers can provide important risk tolerance signals. “I don’t think your primary goal should be ‘How do I get more board time?’ It should be ‘How do I better understand the 360-degree relationships I have to make sure my risk tolerance decisions and the risk scenarios I’m putting forward echo and make sense to my peers?’”

Risk tolerance versus risk appetite

The essence of the question is ‘How much risk are we willing to take on?’ and the answer is in quantifying risk tolerance and distinguishing it from risk appetite. “Risk appetite can be highly variable, it can vary among board members and understanding it tends to be very much about intuition on the part of the CISO,” Goerlich says.

On the other hand, risk tolerance needs to be a guided discussion around a particular objective or a risk scenario, where a CISO can develop a hypothesis. “If you can be explicit, if you can describe it well, then you can really have a good conversation to get everyone on the same page as to what that risk is and what you need to do about it.”

The recommendation is for CISOs to consider the potential organizational ramifications and wider public outrage of an incident and avoid trying to get board members to give guidance on the technical detail. “Unless they are a technical board member, they’re looking to us as CISOs to really understand and control that,” says Goerlich.

The risk conversation

To lead the risk conversation and work towards alignment, CISOs need to quantify cyber risk and develop mature risk reporting practices, according to Mary Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology. Carmichael, who as a member of ISACA’s CRISC certification committee, is at the forefront of developing risk frameworks, says using data from industry sources like the IBM cost of data breach report helps in understanding the probability and potential impact of cyber risks. “This is crucial for sectors like healthcare and education, which are often under-invested in cybersecurity.”

Organizations need to improve their understanding of risk, particularly as the board is ultimately accountable for risk oversight, which they may delegate authority to management. “Management, not just the CISO, is responsible for understanding the potential risks to operations and working with the CISO on control requirements,” Carmichael says.

Proper risk assessments and strategic planning are essential for aligning risk tolerance with business objectives. There needs to be more education about what risk management is, who owns the risk and having risk assessments built into the strategic planning process, according to Carmichael. This should include scenario analysis to assess the financial impact of cyber incidents. Risk scenarios help estimate potential losses from cyber incidents, including evaluating reputational, financial, and operational impacts to present to executive leadership.

Organizations need to war-game cyber incidents, from external attacks to internal threats, drawing on news and recent breaches to understand and mitigate emerging risks.

Admittedly, there’s always the prospect of a black swan event that no one’s really expecting or is fully prepared for. A case in point is the CrowdStrike event, triggered by an update gone wrong that had a worldwide impact. “Who would have expected CrowdStrike to bring down 10 million computers worldwide and create a global outage?” Carmichael says.

Nonetheless, it serves as a reminder for CISOs that these events change organizational risk tolerance and going forward they may need to include strategies for complete digital destruction scenarios, whether it’s a direct cyber-attack or a system outage brought on by a third-party. “Simulate complete system outages to test recovery plans and prioritize critical systems, and see if, worst case scenario, you’re able to [at] least recover from backups,” she says.

Risk and information security committees for sound planning

One way for CISOs to align cybersecurity strategies with organizational risk tolerance is strategic involvement across the organization. “By forming risk committees and engaging in business discussions, CISOs can better understand and address the risks associated with new technologies and initiatives, and support the organization’s overall strategy,” Carmichael says.

An information security committee is vital to this mission, according to Carl Grifka, MD of SingerLewak LLP, an advisory firm that specializes in risk and cybersecurity. “There needs to be a regular assessment of not just the cybersecurity environment, but also the risk tolerance and risk appetite, which is going to drive the controls that we’re going to put in place,” Grifka tells CSO.

The committee operates as a cross-functional team that brings together different members of the business, including the executive, IT, security and maybe even a board representative on a more regular basis. Organizations low on the maturity level probably need to meet every couple of weeks, especially if they’re in a remediation phase and working to reduce gaps in the security posture. “The committee becomes that apparatus you can use to communicate as you go,” Grifka says.

For those higher on the maturity level, having a committee in place provides a mechanism for review and response to the changing risk landscape. “It should be regularly reporting on the state of information security within the organization,” Grifka says.

With a large and growing list of responsibilities and short tenure, it can be challenging for CISOs to know the business deeply. The committee is a useful forum to help CISOs understand what’s going on across the organization. “Ideally they should really have the pulse of the business,” Grifka says.

To help make the task less daunting, actively building relationships with other business leaders will help CISOs come to grips with what’s happening and build trust. “Having that rapport, hopefully they’ll pick up the phone to say ‘hey, we’re thinking of doing this’ and the CISO gets to know about it,” Grifka adds. “Other business leaders should feel comfortable to engage you in those water cooler moments.”

Next comes the maturity assessment

By understanding the business deeply, it’s easier to translate its risk tolerance into the security posture. Doing so requires a mature framework and not accepting more risk than you’re willing to as an organization.  

It starts with maturity level assessments, mapping controls against industry frameworks and defining the level of maturity the organization desires and then translating that into the specific controls. “You shouldn’t be spending to put in significantly more controls than you need because that would then reduce efficiency and add additional cost,” Grifka says.

Finding the balance is necessary, but it’s by no means a static set-and-forget position. “It needs to be dynamic because what makes sense today might not make sense two years from now, and so the process needs to be regularly adjusted,” he says.

How CISOs can help the organizational growth through collaboration

A cyber risk is a business risk and it needs to be addressed with IT control. One of the challenges, however, is that CISOs must come to grips with the meaning of these risks. The risk isn’t the unpatched vulnerability, it’s the ramifications of the risk to the business, Goerlich tells CSO. “Our ability as security leaders to elevate the risk scenario and lead the conversation around tolerance is predicated on us putting that risk within the business context and the product we’re selling.”

Goerlich suggests that your knowledge as a CISO plays a part in coming to grips with this, whereby those CISOs with a GRC background tend to be better at tying the security risk to business risk because they understand the compliance obligations, while those from a SecOps path may struggle more.

Nonetheless, CISOs need to be conscious of the business operating environment and draw on appropriate metrics to illustrate how risk is being managed. The goal is to show the risk is coming down and the CISO has implemented a treatment plan that works. To do this effectively, CISOs will need stronger business acumen, according to the IANS report, and increasingly this includes offering constructive ways to support risk as a business opportunity. “That business acumen is understanding the business ramifications of the risk, not the technical underpinnings,” Goerlich says.

However, Goerlich believes ‘positive risk’ is something that security leaders have found very difficult to identify and capitalize on. “In part, it’s because the downsides of cyber are so great and the upside is nothing bad happened,” says Goerlich. He encourages CISOs to develop stronger partnerships with other technical leaders to understand business objectives and identify the associated risks. This includes partnering with the CIO or the CTO to find ways to accomplish something because it can be a tricky path to go on your own.

For too long, CISOs and cybersecurity teams have been known as the department that says ‘no’ and for being very risk averse, says Carmichael. But if business is all about seizing opportunities, growth means embracing and managing risk, whether it’s in the form of new technologies like AI and IoT, new applications, expanding into new markets or acquiring new businesses.

To shake off this reputation, CISOs and cybersecurity leaders need to constructively support the organization in its growth plans. “Part of the CISO’s remit now is how do we make sure the business is protected while moving these initiatives forward,” Carmichael says.