What’s your initial response to the question posed in the title of this post? I bet most information security professionals would initially say “value preservation,” as the CISO’s “primary” responsibility is to manage information-related risk.
But I see this as a limited view that is (at least in part) the product of immature risk management processes, which often lack the depth and specificity needed to support an organization and fully understand the risk landscapes in which it operates.
Optimizing your risk management processes improves decision-making across the business (not just around information security), better aligns organizational resources and creates value.
So I would argue that a CISO’s role is to both preserve value and create value.
Why a CISO Should Preserve and Create Value
A good example is a venture-backed machine learning company for which we recently became the virtual CISO (vCISO). Like with most startups seeking to reach critical mass, information security had taken a back seat to product development and marketing. On the plus side, they had prospects interested in becoming customers. Unfortunately, they were not winning contracts because they were failing their potential clients’ security reviews. Risk mitigation activities were very reactive and ineffective, and they were burning cash.
We shifted the short-term focus of information security from reactive gap closure to proactive strategic road-mapping, with an emphasis on having a security story to tell prospective clients. We were able to communicate a quarter-by-quarter plan to achieve an industry-leading security posture (verified by ISO 27001 certification), with short-term compensating control mechanisms that allow clients to come onboard now with minimal risk.
Within 45 days, our CISO-as-a-service client won their first significant contract, which is sufficient to fund a lifetime of our vCISO services. Now that is value preservation and value creation.
A Risk Management Framework for CISOs
The COBIT 5 IT governance and management framework suggests achieving both value creation and value preservation your risk management program should answer these six questions:
- What are we in business to do?
- What risks are we exposed to?
- What risk is most important?
- What are we going to do about the high priority risk and others that require action?
- Did our risk actions produce the desired outcomes?
- Is the risk management process embedded in the business and operating as intended?
I think that’s a great starting point. But I would add one other key concept from ISO 27001: Have you defined your Information Security Objectives for the year in a manner that aligns with your annual organizational objectives?
If you can answer yes to that last question, you have a good shot at developing an information security program that both protects the business and its information assets, and adds value by addressing stakeholder demands and enhancing competitiveness.