The CISO role has always been brutal. Here is what makes some survive it.

COMMENTARY: I’ve had the privilege of holding security leadership roles across the U.S. government, private equity, and both privately and publicly held SaaS companies. From an outsider’s perspective, these companies appeared to have nothing in common, and even through a security lens, they were as varied as you can get. Everything from the threat actors targeting them to their compliance and regulatory obligations was wildly different.

At its core, in my opinion, there’s always one common thread that has stayed constant across all of them: I have yet to find a single cybersecurity risk that cannot be addressed effectively with people, processes, or technology. All risks can be treated, although they almost always carry some level of residual risk; ultimately, it is a matter of how much time and money your organization is willing to spend and what risk appetite it is willing to accept. That last bit is the important part: your organization's leadership must be willing to prioritize security and allocate adequate resources to bring risk down to a level that makes sense. What’s on the Cyber Risk Menu?

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

I love a good analogy, and one I’ve used for quite a bit is how a CISO should consider their role in identifying and treating risk. So bear with me here a moment and let me set the stage: You, the CISO, are, in fact, a world-renowned chef at the “Cafe al la Risk,” which is owned and operated by the board and CEO, who are also the top clients of your restaurant. This restaurant is slightly different in that what you serve is a menu of options, and each one is a cyber risk. Do they want the Ransomware burger? Well, you can have it with A5 Wagyu from Japan, along with all the fixings and plated in gold, which will cost a fortune and take a bit to get out of the kitchen, or you can get the steam broiled square burger for a fraction of the cost and served in 10 minutes or less (sorry for those White Castle fans). Alternatively, if you are absolutely full, you will just decide not to eat at all and see what happens to the leftover meat in the back.

You, as the CISO Chef, shouldn't measure success by what the customer eats. Measure it by the menu. Build the best options you can with the ingredients you have, plus options for when the budget allows for Japanese Wagyu. As long as customers eat what you serve and leave full, you're winning. You just can't have them sending meals back to the kitchen or complaining that the menu doesn't address current trends.

Related reading:

OK, back to reality now. I'm one of a growing number of security professionals who argue the CISO's job isn't to eliminate every risk. That's impossible. It's to illuminate relevant cyber risks and bring risk-informed options to leadership that tie directly to business objectives. If leadership is well-informed and receives meaningful options backed by realistic data, the CISO can sleep well at night.

Now, this may be contentious to some. Many friends and colleagues of mine have suggested the CISO should push harder or try to force decisions, and certainly, there is some backroom work to help leadership understand risks and their impact. You can recommend a menu item; your expertise should allow you to do so. But the business owner, be it the CEO, board, or governor, ultimately makes the decision on risk. Not the CISO. If you feel the decision maker made the wrong call, step back and ask yourself why. Was there a business driver requiring a different path? Did you work with the appropriate business stakeholders, such as engineering leadership, to scope the plans? Did your options correctly tie to what the business cares about, whether revenue or service delivery to citizens? If not, you need to rethink your approach.

Make sure you know your customer

The most important factor a CISO needs to consider when crafting their risk menu is understanding exactly who is sitting at the table and what types of meals they prefer.

Are they supportive of even eating options for risk? Is there general leadership support for cybersecurity efforts and initiatives that can help expand the menu and meaningfully drive down risk? Or are they more of a “check the box” type of organization that will just buy those White Castle specials, vs. trying to make any viable options that won’t cause digestion issues later on?

As far as my current role is concerned, the team at the table is certainly open for meaningful and hearty choices (OK, that is the last analogy reference), but I know this is not always the case for all CISOs. My advice to my fellow CISOs out there is to look to the CISOs who have had to make the hard choice to walk away and know it is the right thing to do. Legends like Alex Stamos have shown us that CISOs need to stick to their moral compass and know when to resign should they see their organizations take illegal or ethically dubious actions, all in the name of revenue.

The good news is that as the CISO role has grown in importance over the last decade and more and more examples of the impact that companies will face should they ignore and constantly go for the cheap option on the menu, I feel as if there has been a shift in the general understanding of executive leadership teams and board teams on the topic. Cyber can and will have a lasting impact on revenue, whether you get it right and help build and maintain your customers' trust, or you fail to do so.

Happy dining.