Risk Management from the CISO Perspective

One of my favorite aspects of my role as a Security Evangelist for Radware is that I get the chance to really talk with business leaders about the challenges they face every day when protecting their business. I do a lot of listening, honestly, and I get the chance to learn a lot from these conversations.

Over the past few weeks, Risk and Risk Management have been common topics of discussion. They can be challenging because every business is different and we all face different risks or threats. Some of us have regulatory or compliance controls that we must operate within, which define how we handle certain risks. Others have customers who require that we maintain certain protocols and certifications as a method of protecting their data. Still, others have no programs in place at all.

One of the tasks of the CISO is to assess cyber threats and risks to the organization and to make recommendations on how to protect against them. So what are CISOs and security leaders concerned with right now? Here’s a recap of some of the messages I’ve heard over the past two weeks.

Size and Scope Might Be Indicative of Your Risk Program

“A risk program, you say?” Not all businesses have implemented a risk program. Others live by it. One CISO described how your risk program is likely influenced by the following:

– The purpose of your business
– How many employees you have
– Whether or not you’re a public company
– How long you’ve been in business

For example, a startup may not have a strong risk practice. Perhaps they’re more likely focused on growing a business with limited means. Do they hire a CISO? Probably not immediately (if at all), but maybe their idea, technology, or other intellectual property is the crown jewel of their business. Protecting those assets may be critical to the future of the business.

On the other hand, a multinational financial company could have dozens of regional regulations with which they must comply. These companies have a much more mature risk program. In fact, many global organizations have CISOs dedicated to specific regions to assist with this complexity.

“Everything is unprecedented until it happens for the first time.”

One security leader recently referenced this quote from the movie “Sully” when discussing his risk program. While often used as inspiration, this quote is incredibly relevant in cyber security. Security practitioners share the task of keeping our companies alive, online, and safe.

I think this quote stands on its own.

[You might also like: From the Corner Office: Views from a Chief Information Security Officer]

The CEO Usually Doesn’t Want to Know the Details About Your Risk Program

The CEO wants to know how you’re dealing with risk, but they usually don’t want to know the exact details (unless maybe they need to understand or they are part of risk committees). That’s why they have you, the CISO. Instead, they need to understand how you are handling risk. Develop a clear and concise summary of your risk profile and what you are doing about it. The CEO needs to be able to tell Board members, shareholders, and customers if, how, and why you’re safe, but help him or her develop a clear way to explain your risk program.

Use Internal Auditing as a Tool

Let’s face it, nobody enjoys auditing. However, one CISO that I talked with recommends that you embrace it. It can be difficult, but if you trust the process and commit to it, an internal audit can help you reach your security goals.

For example, an internal audit can help find gaps in protections that would ultimately need to be defined as risks. From there, you can define the likelihood of the risk, the impact to the business, and finally make a recommendation to mitigate the risk. Some of this might include budget allocation, which may help you achieve other goals as well.

Telecommuting Employees Are Bad at Backups

Do you have remote employees or contractors? Do they have laptops? Are they backing up data? Several discussions focused on this topic recently, specifically because of the WannaCry outbreak. If you do have remote workers in your network, how are they backing up their laptops? Laptops are usually opened while working and closed while not, meaning the backups have to be completed while open.

If they are backing up, are they using home resources or a central corporate server/resource? If it’s the latter, are they on VPN? Residential internet links don’t always have fast uplink speeds, making remote backups a chore for the user. Even if they run during the day, with slow upload speeds, a user might notice the burden of a saturated uplink on their residential link during the backup and even perhaps abort it, or avoid it altogether.

This recipe creates two common scenarios; telecommuters who either don’t back up their data regularly or they back up to non-corporate resources. We would all agree that using non-corporate resources to store corporate data presents risk, but so does foregoing backups.

Teach Your Employees About Risk

The CISO is accountable for cyber risk, but everyone should be invested in protecting the company. The good news is that threat awareness inside of organizations seems to be increasing. However, employees must also understand why cyber threats can also threaten the business directly. From safe internet browsing to developers coding with security in mind, everyone needs to understand how their activities impact the company’s risk profile.

[You might also like: Ask Yourself: Do I Need an Emergency Response Plan? WHY?]

In the same vein, teach your employees that they need to trust you and the IT teams if something has happened. Be approachable and make sure employees understand that they can safely reach out to your team in the event of a suspected issue. We would all rather know about something immediately than finding out later, the hard way.

40% of Businesses Don’t Have an Incident Response Plan

Radware’s 2016-2017 Global Application & Network Security Report found that 40% of businesses do not have an incident response plan in place. Handling a security crisis can often come down to preparation. Even if you don’t have a security budget, you can still plan for what you will do if you encounter a security problem. Understand who needs to be notified, both internally and externally, as well as who will be involved in your response. Then practice it. Those first few minutes and hours will be critical to how you fare under duress.

Cyber Insurance Can Transfer Risk

The same report referenced above also found that 70% of businesses do not have cyber insurance. We also found that businesses tend to underestimate the cost of a cyber-event by 50%. A cyber insurance policy might be a way for you to transfer certain risks away from your organization. However, the feedback in the community is that policies vary drastically and you should have your legal team heavily involved if or when you decide on a policy.

The greatest observation from these discussions is that we all have different levels of risk tolerance. We also have different levels in maturity of our programs. But as security leaders, we understand that how we approach risk is critical to our business. Use risk assessments to help drive your security goals. Gain the attention of the senior leadership in your organization by defining risks that you face, their likelihood of occurrence, their impact to the business, and your recommendation to mitigate them.


Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.

Download Now

Ron Winward

As a Security Evangelist at Radware, Mr. Winward is responsible for developing, managing, and increasing the company’s security business in North America. Ron’s entire career has been deeply rooted in internet and cybersecurity. For over 20 years, Ron has helped design complex solutions for carriers, enterprises, and cybersecurity providers around the world. Ron is an industry-recognized expert in the Mirai IoT botnet and its modern variants. Ron conducted the industry’s first complete analysis of the Mirai attack vectors, producing forensic examples for public distribution of each attack and the specific impact each attack had on networks. His work on IoT attack analysis has been presented at conferences worldwide and has been referenced by NIST. Prior to joining Radware, Ron was Director of Network Engineering for a global datacenter provider and ISP. In this role, Ron oversaw the growth and development of a global network infrastructure that delivered services to other ISPs, hosting providers, and enterprises around the world. During this time, Ron assisted some of the world’s top businesses in mitigating cyberattacks on their infrastructure, cultivating an extensive knowledge in DDoS attack methodologies. Ron holds a Bachelor of Science degree in Business and has earned many technical certifications throughout his engineering-focused career. Ron acutely understands the impact of technology and security on business and is enthusiastic about their interrelation.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center