For CISOs, in addition to deciding what policies, processes, or technology an organization should have in place, an even more significant challenge is successfully negotiating disputed risk issues. But, the process for determining risk tolerance is fraught with organizational politics, and it goes without saying that each organization's circumstance needs a customized fit. When determining a process, the most important aspects to take into account include: how an organization decides on risk tolerance, security risk assumption decision-making, and who has the authority to assume security risks.
How to determine risk tolerance within your organization
Every organization has a risk tolerance model, ranging from a formal documented process to an undocumented process, or more often than not something in between. To solve the problem, first you need to determine where on this spectrum your organization lies.
Found in organizations with mature enterprise risk management (ERM) processes, a formal documented risk tolerance and assumption process clearly defines risk assumption authority level and specifies who can assume and sign-off on the risks. This process establishes a "governance procedure" and is often based on quantifying the risks and exposures. Even in these organizations, however, the ERM processes often do not adequately simplify the resolution of contested security issues.
On the other hand, organizations with informal risk tolerance models have little or no documented procedures regarding risk tolerance and assumption. Typically, it's based on the unspoken assumption that a senior-level manager should be informed of security issues and approve the risk being assumed. Obviously, with an informal risk tolerance model, the organizations security procedures may not be consistent, resulting in risks not being sufficiently vetted.
Determining security motivations
Even for organizations that have mature ERM processes, it is difficult to implement an effective risk assumption process. There is no generally accepted security risk assumption model template. Some organizations are predominantly driven by regulatory compliance concerns. Some are driven by the privacy and security risks associated with their information technology practices; while others are driven by industry and/or competitive pressure to determine their risk tolerance levels. Many organizations are driven by a mix of all three risk tolerance drivers.
Because the possible security motivating factors and values can differ greatly between organizations, establishing a formal risk assumption model is imperative and needs to be a truly unique and intimate process that involves the CEO -- and even the Board of Directors.
Who assumes risk -- and how?
All risk tolerance models should include three critical factors, beginning with documenting enterprise risk assumption delegation.
Delegation of who can make security risk decisions is critical and, at minimum, delegation should be at the Board of Directors or CEO level. Ideally, though, the CISO serves as the first line of defense, followed by the CEO or the Board of Directors if the risks need to be escalated. Business unit executives should only have authority to make risk decisions that are contained within the boundary of their business unit. Similar to CFOs who have delegated enterprise authority over spending matters and can overturn or challenge spending decisions by the business units, a CISO should have similar authority over security matters within the boundary of the business units.
Sign up for CIO Asia eNewsletters.