CISO Stressbusters Post #3: 3 ways to share accountability for security risk management

Jim Eckart, former Chief Information Security Officer (CISO) of The Coca-Cola Company and current Chief Security Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post.

If you are a CISO, it can feel like the responsibility for keeping the company secure rests solely on your shoulders. This may be an attitude that’s shared by your organization or a mindset based on your own sense of duty, but either way, it can cause a tremendous amount of stress—and it may not make your organization more secure.

Although I currently work as a Chief Security Advisor at Microsoft, I’ve spent the last decade of my career as a CISO in companies like Eli Lilly and Coca-Cola. I know first-hand how stressful this role can be. Distributing accountability can alleviate some of the pressure. It can also help you bring in new ideas and build a security culture. For the third blog in the CISO stressbusters series, here are three tips for sharing security accountability within and outside your organization.

1. Establish a cyber risk management governance committee

After a series of well-published breaches at big brands, most boards and executive teams have acknowledged that a security incident isn’t just a technology risk, it’s a business risk. But often security is still treated as something that gets bolted on at the end. This can result in risky decisions that may be hard to fix later.

To effectively manage cyber risk, organizations need to evaluate the security risks of all major initiatives from the very beginning. For each project, people need to understand the risk tolerance of the company, the potential upsides of the project, and the risks in order to make smart decisions. This requires participation of business owners, security experts, and IT.

When I was hired at Coca-Cola, one of the first things I did was re-assemble the cyber risk management committee. This is a cross-functional stakeholder group responsible for making risk decisions on behalf of the entire enterprise. By including people from across the organization, we were able to align IT projects to business risk-based decisions. It took several meetings of this committee to get the business representation right and executives working effectively together, but it was worth the time. Now people across the organization have a stake in security.

2. Bring in third party expertise

One of the toughest jobs of the CISO is influencing a culture shift. Whether you’re trying to get funding for your cybersecurity strategy or convince employees not to click on links in unknown emails, you need to persuade others to take security seriously. This can be a long process that requires regular communication, but a cybersecurity consulting company can help smooth the road.

An outside consultant can bring expertise and perspective that you and your team don’t have. They also aren’t restrained by the culture and internal politics in the same way that you might be. Most importantly, a third party can help you validate ideas and provide credibility. At Coca-Cola, I hired an external firm to do a top-to-bottom, independent security assessment, whose findings they ultimately presented to our Board. This drove proper strategic alignment and funding priorities for the implementation of my cybersecurity program.

3. Join an external cybersecurity group

To stay up to date, compare notes, or get advice, it can be really valuable to talk to CISOs at other companies with similar challenges. This can be tricky when much of our work is highly confidential. I joined two groups that are governed by confidentiality agreements. The Gartner Information Risk Management Research Board is a collection of 35-40 Fortune 500 CISOs. I was also a member of the CIO Strategy Exchange (CIOSE). With these groups, I developed long-standing and highly trusted relationships with peers in companies as large as mine. 

Looking ahead

As a CISO you are under a lot of pressure. Even with a good support network, this is a stressful job. As you build and manage your security operation, look for ways to share accountability with others. It will help you sleep better at night, and it will strengthen your security culture. In the meantime, stay tuned for the next CISO Stressbuster post for more advice from others in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles?  What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts.

For more information about Microsoft security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.