A newly hired CISO got onboard recently. He proposed a grand information security strategy called “zero risks.” As the CEO, which of the following should you do?
A. Approve the strategy and report to the board
B. Reject the strategy and ask for detailed risk assessment
C. Invite feedback from the senior management team and the board
D. Issue a program policy to initiate the information security program
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Invite feedback from the senior management team and the board.
It’s generally accepted in the risk management community that risk cannot be eliminated, and “no risks” is impossible because we can manage identified risks (known unknowns), but managing surprises (unknown unknowns) is not possible. However, it’s not uncommon that senior management and the board prefer “no surprises” and put “no risks” in place as the ultimate goal. In this case, awareness, training, and communication are needed.
Context, Stakeholders, and Criteria
The “No Risks” strategy is not realistic. The CISO should be informed of the risk appetite or the “Amount and type of risk that an organization is prepared to pursue, retain, or take.” To invite feedback from the senior management team and the board can determine the risk appetite. The acceptable level of residual risk can then be further defined.
Informed decisions are necessary. To approve or reject the strategy with insufficient information, e.g., risk appetite, is not a good practice. Issuing a program policy to initiate the information security program is done after the strategy is approved.
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, that change inevitably brings. The ISO 31000 risk management standard refers to risk appetite as the “Amount and type of risk that an organization is prepared to pursue, retain or take”. This concept helps guide an organization’s approach to risk and risk management.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
新聘的CISO最近入職。 他提出了一個宏偉的資訊安全策略，稱為“零風險”。 作為首席執行官，您首先應該做什麼？
B. 拒絕該策略並要求進行詳細的風險評鑑(risk assessment)
D. 發布計畫政策(program policy)以啟動資訊安全計畫(program)