Risk is involved with just about everything that happens inside an organization—the things we build and operate, the partners we work with, and much more. A big part of the Chief Information Security Officer’s (CISO) job is to help your executive counterparts understand and manage risk in data management, cybersecurity, and other areas of the business.
Inside any organization or team, who really owns risk? Is it the cybersecurity team? Is it the product teams? Is it the business owners? This article explores ownership models and why they matter.
There’s not one simple way that somebody comes to own something. Even then, what does it mean to truly own something today? Here’s an analogy: We don’t own the Kindle books that we paid for and read on our commute. Conversely, we do own the hardcover books that we purchase from the same vendor and keep on the shelf. Even though these may be the same book, same author and publisher, and same cost, the ownership model is different.
There are several ways that ownership might occur, as outlined in the book “Mine!”:
- First come, first serve—the first to take ownership of something maintains ownership of it.
- Possession—the entity that mostly possesses something, especially over an extended period of time, owns it.
- Attachment and association—something is attached or associated with something already owned and therefore that additional something is also owned.
- Bold claims—the entity that makes a bold claim to something may push out others in claiming or maintaining ownership.
Why Risk Ownership Matters
When ownership is not clearly defined, there is ambiguity. That can often lead to inaction or misaligned expectations (e.g., “we thought your team was handling this”). Depending on the particular issue, lack of action can lead to significant consequences.
Consider the following scenario:
An internal IT operations team runs a self-hosted JIRA service on Amazon Web Services. The account structure, resource provisioning, and governance is typically handled by another internal platform team. The news drops of CVE-2018-10054, a vulnerability, being actively exploited around the world and immediate patching is recommended. However, the IT operations team pushes back saying they’ve tested patches and they weren’t stable, the JIRA service is too critical, and they won’t be moving forward right now, opting to wait for additional guidance.
Who Owns The Risk Outcome?
In the above scenario should the service team be making that decision or the CISO? If the service team owns the service but isn’t making the ultimate call on what gets worked on, do they really own it? Who in the organization should have the means to say “I accept this risk” or make those final determinations?
This isn’t an easy question and it really depends. In some organizations, the CIO and CISO may own and sign off on all technology-related risks surfaced from different teams and have to approve policy exceptions. In some organizations, the risk is transferred to a senior leader responsible for the part of the organization where the risk originates. In other organizations, the risk is owned by the team closest to where it originated so they can make the decisions with the highest fidelity data.
None of these ownership models are right or wrong, but they all have their benefits and drawbacks. And this whole issue is complicated when we take into consideration that different fields measure, report, and communicate risk very differently. This is true of course even within the cybersecurity field.
How This Relates to You
One of the first things to understand is that you may not actually have an immediate say in how this works if your organization has an existing risk management function. However, whether this is in place or not, you should endeavor to better understand the ownership dynamics that exist whether they are official or not because ownership dynamics will drive behavior. As security leaders, our jobs are to enable our organizations to achieve their mission and do it safely.
As a CISO, understanding and applying the principles of ownership can also let you empower teams to make better decisions and move faster. If your organization is one that prefers to centralize ownership and approval of risk, delegating that responsibility down to others can remove tremendous friction, especially in a dynamic and fast-moving space like information technology.
Ownership does not have to be and shouldn’t be static. Experiment with different approaches to get the outcomes you are seeking, whether they are speed, empowerment, safety, or managing the lowest operating risk.