As a former CISO, I have to say it -
Stop blaming your CISO every time there’s a data breach!
While the CISO plays a huge role and is responsible for identifying risks and implementing systems to tackle them, their influence only goes so far.
The CISO will identify and surface risks to leadership falling into 2 categories:
1. Risks the security team can solve directly
2. Risks that exist in other parts of the business
The CISO does not have unilateral authority for decisions outside their department. If a potential risk is found due to activity in another area of the business, they can only advise on the proper course of action. Risk ranking, management, and responsibility are crucial. But, if leadership understands and decides not to follow through with their recommendation, then it’s out of the CISO’s hands.
This is the classic “accepted business risk.”
Strategic risk decisions are core to business success and the CISO can help your business succeed and embrace risk responsibility, but you can’t have your cake and eat it too. If you choose to ignore security, you have to own the outcome - for better or worse.
This post generated a great discussion on LinkedIn. Don't hesitate to join the conversation there with your thoughts!