Building an InfoSec Program from Scratch, Part III – Communicate the Risk

Building an InfoSec Program from Scratch, Part III – Communicate the Risk

By Stephen Heath – Partner and Advisory CISO – Intrinium  LinkedIn |

When a new CISO arrives in an organization, they will often walk in expecting to review, assess, build upon, and (sometimes) undo the work of their predecessor. Obviously, this can be a daunting and unique challenge. Sometimes they may find that there is nothing but a green field in front of them. That can be even more terrifying and thrilling. On the one hand, you have an opportunity to build the program you have always dreamed of. On the other, you have to build the whole damned thing!

Regardless of the maturity level of the program, you are walking into, there are many things that every CISO must remember when starting a new position:

  1. Understand the business
  2. Establish a baseline
  3. Communicate the risk

In this series, Intrinium’s Stephen Heath will cover critical lessons that new CISOs must learn when taking on the monumental responsibility of building from scratch.

Communicate the Risk

In a previous article, I talked about Understanding the Business and turning your skeptics into advocates. That said, InfoSec is not about making friends. The core job of a CISO is the Communicate the Risk the business is at from an Information Security perspective. This is the lens that you should view every decision, recommendation, and action that you take.

This is where I have seen many CISO’s fail. The bad CISO will use a “hair on fire” approach and exaggerate the risk just so he can get his way. The problem with this approach can be found in Aesop’s Fables #210, better known as “The Boy Who Cried, Wolf.” You only can get management’s attention so many times with this tactic before you become just another annoying security guy.

When a good CISO Understands the Business, vulnerabilities no longer exist in a vacuum. She can take in the whole picture and know that something a scanner calls a “Medium” vulnerability on a critical business system may be more important that a “High” one on a locked-down public kiosk.

Let’s take a look at last week’s oil platform example: What is the actual risk of changing the login from a password to an access badge?

  • Threat: An unauthorized person steals a badge and uses it to access the system.
  • Likelihood: They would have to a) get to the oil rig, b) get past physical security, c) steal or clone a badge, d) manage to get into a restricted and dangerous area covered in cameras, e) enter inappropriate data.
  • Impact: Production could be impacted until the bad data is discovered.

I think we can all agree, the risk is actually extremely low. If someone was so “leet” to pull off the scenario above, I’m pretty sure they could social engineer a password at some place along the way. Frankly the likelihood of an authorized user entering bad data in error is significantly higher than the Jason Bourne scenario described above. Why not make the employees life easier?

A good CISO will put on her risk glasses each and every time, deciding when immediate action is warranted, if incremental action will reduce the risk enough, or if it just isn’t worth worrying about until next year’s budget.

Pin It on Pinterest

Share This