“What Leadership Qualities for CISOs Are Most Important?” Start with the Right Model

February 13, 2020  Jeff B. Copeland

A new article on IBM’s Security Intelligence site asks What Leadership Qualities for CISOs Are Most Important in 2020?  The article draws on a CISO survey by PwC and Harvard Business Review that identified seven top priorities for cybersecurity leaders – only one technology-specific, the rest “focused more on executive and strategic responsibilities.”

As Security Intelligence writes, CISOs must “guide their organizations down the middle of the road, taking on just the right amount of risk and adopting a suitable pace for their digital transformation.”

Are CISOs up to the challenge? As RiskLens Co-Founder and Chief Risk Scientist Jack Jones has said “Making well-informed decisions and executing reliably is critical to risk management success.  But as a profession, we do not enable well-informed decision-making or reliable execution…If we want to have any hope of dealing successfully with digital transformation-related risk we have to mature as a profession, quickly.”

Jack is the creator of Factor Analysis of Information Risk (FAIR™), the international standard model for cyber risk quantification (i.e. see cyber risk in financial terms) that is enterprise enabled by the RiskLens SaaS platform. With analysis of cyber risk in financial terms, CISOs can truly balance risk vs. transformation through well-informed decision making.

In fact, the cyber risk quantification approach clears the way for CISOs to meet the seven priorities that IBM outlines:

Build an organization-wide cybersecurity culture

The FAIR model provides a way of thinking about risk, based on common concepts and vocabulary, that can be understood and adopted across the business.

Learn more: Adopting FAIR – How to Convince and Convert Key Teams in Your Organization

Formulate strategy for cybersecurity

CISOs use RiskLens’ FAIR based analysis to inform strategic and tactical decisions based on pricing risk in financial terms and comparing defensive measures based on risk reduction and risk appetite.

Learn more: Quantitative Risk Reporting Stratification: Know Your Audience

Build and maintain threat resistant systems

With quantitative analysis, CISOs routinely engage in “application rationalization” and other controls assessments to get the most out their first lines of defense.

Learn more: Case Study: Reducing Web Application Attack Risk with RiskLens 

Work with the risk management function to integrate cyber risk with broader risk strategy

The most widely used enterprise risk management standard, the COSO ERM, includes cyber risk quantification as a best practice and specifically calls out FAIR in a recent guidance document. 

Address legal and regulatory compliance requirements

RiskLens’ FAIR based analysis is widely used to satisfy the risk management and risk disclosure requirements of many standards and regulations, including the SEC, PCI and NIST CSF.

Learn more: NIST Maps FAIR to the NIST CSF, Major Recognition of the Power of Cyber Risk Quantification

Develop cybersecurity risk metrics

A key benefit of a RiskLens implementation is clear, consistent reporting on risk in the financial terms that the business demands – no more vulnerability or patch counts or other techno-speak.

Educate the board and the C-suite on cybersecurity

With RiskLens, CISOs answer in business terms the big-picture questions that come down from the top, such as

  • How much risk do we have?
  • What are our top risks?
  • Are we spending too much or too little on security?

Learn more: Building a Cyber Risk Report Your Board Will Love