5 risk management mistakes CISOs still make
Many organizations still struggling to get security risk management right.

Corporate leaders now rank cybersecurity as a top-level priority, seeing it as a strategic risk that must be managed. Yet surveys of executives and board members suggest that they’re still falling short on that task.

The 2019 Global Cyber Risk Perception Survey from Marsh and Microsoft found that 79% of respondents put cyber risk as a top five concern for their organization, with 22% saying it is their top concern. Yet only 11% report a high degree of confidence in their organization’s cyber resiliency and 61% of respondents said their organizations would prioritize business operations and initiatives over cybersecurity.

As security risk management is still maturing and many executives struggle with effectively managing security risk. Given that, they say they see many organizations make mistakes in this area. Here are five common mistakes they see enterprise officials make:

1) A lack of security and business alignment A lack of alignment between security operations and business strategy remains one of the most common mistakes in risk management, according to multiple CISOs and executive consultants.

Most [CISOs] don’t measure what the business actually cares about. They’re measuring technical exposures and not the impacts to the business. They still get too caught up in the tools and counting vulnerabilities, but those aren’t measures of the business cyber risk. CISOs need to attach risk to the things that the business cares about,” says Ryan LaSalle, managing director and North American lead for Accenture Security.

2) Limited visibility: Many executives are managing risk for parts — but not all — of their organization because they don’t have full visibility into their enterprise.

“There’s a common misconception that an organization has the complete picture of what the landscape is,” says Tony Buffomante, the global co-leader for cybersecurity services at KPMG. However, he has found that many CISOs don’t have a full IT asset inventory or a complete list of all the third-party suppliers and cloud applications used by employees and business units. “As a result, a lot of companies execute risk assessment programs on an inventory that’s not robust or that is not accurate,” he says.

3) Putting frameworks first: The challenges and complexity of the enterprise cybersecurity function have given rise to a number of frameworks, yet Christopher Kennedy, CISO and vice president of customer success at AttackIQ, sees a risk in focusing too much on using regulatory and compliance frameworks to manage risk.

He says some security leaders mistakenly overemphasize meeting the framework requirements — checking the boxes, so to speak — and see compliance with frameworks as the end goal, rather than focusing resources on understanding the unique needs of their own organization, aligning security initiatives to business strategy and closing gaps in their security program.

4) Giving equal weight to every threat: Given the growing list of threats, attack vectors and vulnerabilities facing any and all organizations, CISOs may be tempted to address them all. However, CISOs and advisers alike say that such a broad approach is a mistake. Instead, they need to be more focused.

5) Failing to consider time elements: Although security or compliance audits can give the C-suite an indication of how well a security program is doing, experts warn that they indicate performance at the time of audit; they don’t guarantee success moving forward — particularly given how rapidly new threats can evolve and how quickly security policies and risk assessments must change to address them.

However, security leaders say that organizations must also recognize that sometimes initiatives to address newly identified risks take time.

“The speed of analysis currently outstrips the speed to make decisions and take action,” LaSalle says. Security teams must build that into their planning and progress reports.