4 CISOs Explain How to Make the Culture Change from Compliance Focus to Risk-Based Cybersecurity
Adopting Factor Analysis of Information Risk (FAIR™) is a culture change for cybersecurity and risk management teams, a shift from passive (follow a controls framework and hope your risk reduces) to active (quantify your risk and prioritize your response accordingly). In a panel discussion at the recent 2022 FAIR Conference, four CISOs who led this mind shift shared their experiences.
FAIRCON22 Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity
Moderator: Omar Khawaja, CISO, Highmark Health
Mark Tomallo, SVP, CISO, Victoria’s Secret
Mary Elizabeth Faulkner, CISO, Thrivent Financial
Jeff Norem, Deputy CISO, Freddie Mac
Left to right: Omar Khawaja, Jeff Norem, Mary Elizabeth Faulkner, Mark Tomallo
Omar led the discussion with questions on preparing the way for a FAIR quantitative risk management program.
1. Why is compliance so darn compelling?
“I think It’s the easy button,” said Jeff Norem. “Or people think it is because on that list are generally good things to do. It falls down once you get past the basics and have to make some decisions. That’s where you need a different model.”
“How do we take this to the next step to understand why a control is required?” Omar asked. “Almost always, it’s going to be because it will reduce risk. OK, now we can have a conversation. In this situation, it may not reduce risk.” Or, he said we can look at other controls that may compensate.
“By no means are any of us suggesting you should not be compliant; just that it not be the dominant way you make decisions.”
2. What’s the next step to move that conversation forward from the compliant/noncompliant approach?
“Set expectations with your organization,” Mark said. “Understanding how people consume the data is important and has solved a lot of problems and got us out of a lot of back and forth with how we visualize risk. Some board members don’t want to be in the weeds but they trust the data because of the level setting we have done in the past. They may say show me something [such as a red/yellow/green chart] that I’ve seen for the last 20 years.”
3. How do you build trust with your business partners?
“It takes conversation, bringing people along on the journey,“ Mary said. “And communicating in business terms. Ask what’s the most important impact [from a cyber event] that could happen to you. Now, let me tell you how our program can avoid that or help reduce the probability. And then, for instance, are you willing to take a risk of less control so you can get to market faster?”
“Being part of the regular conversations is incredibly crucial. It starts to change you from being a CISO to being a business leader that just happens to have a concentration in information risk. Now you are truly a trusted strategic partner with the business.”
Mark added, “I’ve never seen anything in my 24 years in security that aligns my teams and I closer to the business” than FAIR. “This is 100% a business conversation.”
4. (Audience question) What’s the FAIR viewpoint on maturity models?
Jeff said, “It goes to the culture of the organization. Is it something that is commonly brought to the board or leadership? Maybe there’s value in continuing that, maybe not. It’s really a simplified way to talk technology, to simplify the words down to numbers. But it's not an easy connection to tying it back to risk and money.”
“I’m not a huge fan of maturity models,” Mary said. “Should I be spending a lot of money to write a bunch of policies, or should I spend more money to create automation so I can detect, respond and contain an actual incident?” A better “maturity curve’ would gauge preparedness, she said. “If your program can detect a compromise by a sophisticated threat actor in days, that’s a pretty awesome conversation to have with your leadership. That’s where you go from maturity models to risk and prioritization.”
5. Lessons learned from failures?
“Where I see programs stalling there is a lack of passion around digging into more analyses or digging into analyses more deeply,” Mark said.
“One of the mistakes I also see is people trying to go too deep too quickly… Tomorrow all of a sudden we are not revamping the entire risk management program for a fortune 200 company. That is a slow progression making sure the business and their functions are on board or at least understanding.”
Omar has learned that surfacing objections heads off failure. “Give them an opportunity to resist. Say ‘tell us all the reasons you think risk quantification will fail here'. Now you know exactly what you have to overcome.”
Coming soon: Watch the video of the panel discussion on the FAIR Institute’s LINK community site (a FAIR Institute Contributing Membership required).