5 risk management mistakes CISOs still make
Many organizations still struggling to get security risk management right.
Corporate leaders now rank cybersecurity as a top-level priority, seeing it as a
strategic risk that must be managed. Yet surveys of executives and board
members suggest that they’re still falling short on that task.
2019 Global Cyber Risk Perception Survey from Marsh and Microsoft
found that 79% of respondents put cyber risk as a top five concern for their
organization, with 22% saying it is their top concern. Yet only 11% report a
high degree of confidence in their organization’s cyber resiliency and 61% of
respondents said their organizations would prioritize business operations and
initiatives over cybersecurity.
As security risk management is still maturing and many executives struggle with
effectively managing security risk. Given that, they say they see many
organizations make mistakes in this area. Here are five common mistakes they see
enterprise officials make:
1) A lack of security and business alignment A lack of alignment between
security operations and business strategy remains one of the most common
mistakes in risk management, according to multiple CISOs and executive
“Most [CISOs] don’t measure what the business actually cares about.
They’re measuring technical exposures and not the impacts to the business. They
still get too caught up in the tools and counting vulnerabilities, but those
aren’t measures of the business cyber risk. CISOs need to attach risk to the
things that the business cares about,” says Ryan LaSalle, managing director and
North American lead for Accenture Security.
2) Limited visibility: Many executives are managing risk for parts — but not
all — of their organization because they don’t have full visibility into their
“There’s a common misconception that an organization has the complete picture of
what the landscape is,” says Tony Buffomante, the global co-leader for
cybersecurity services at KPMG. However, he has found that many CISOs don’t have
a full IT asset inventory or a complete list of all the third-party
suppliers and cloud applications used by employees and business units. “As
a result, a lot of companies execute risk assessment programs on an inventory
that’s not robust or that is not accurate,” he says.
3) Putting frameworks first: The challenges and complexity of the
enterprise cybersecurity function have given rise to a number of frameworks, yet
Christopher Kennedy, CISO and vice president of customer success at AttackIQ,
sees a risk in focusing too much on using regulatory and compliance
frameworks to manage risk.
He says some security leaders mistakenly overemphasize meeting the framework
requirements — checking the boxes, so to speak — and see compliance with
frameworks as the end goal, rather than focusing resources on understanding the
unique needs of their own organization, aligning security initiatives to
business strategy and closing gaps in their security program.
4) Giving equal weight to every threat: Given the growing list of
threats, attack vectors and vulnerabilities facing any and all organizations,
CISOs may be tempted to address them all. However, CISOs and advisers alike say
that such a broad approach is a mistake. Instead, they need to be more focused.
5) Failing to consider time elements: Although security or compliance
audits can give the C-suite an indication of how well a security program is
doing, experts warn that they indicate performance at the time of audit; they
don’t guarantee success moving forward — particularly given how rapidly new
threats can evolve and how quickly security policies and risk assessments must
change to address them.
However, security leaders say that organizations must also recognize that
sometimes initiatives to address newly identified risks take time.
“The speed of analysis currently outstrips the speed to make decisions and
take action,” LaSalle says. Security teams must build that into their planning
and progress reports.