How CISOs can get on top of cyber risks

The role of the Chief Information Security Officer (CISO) has never been harder as cyber attacks become ever more prevalent, sophisticated, and damaging. As a CISO, you also face growing pressure from regulators and increasing expectation to act across the C-suite, while all the time grappling with a mounting shortage of cyber security specialists.

Success depends on your ability to navigate this complex and fast-shifting landscape. Key questions for you as a CISO include: 

1Do I have a clear, Board-endorsed strategy to reduce cyber risks to agreed acceptable levels?

It’s important to ensure that there is clarity and alignment amongst the leadership on the cyber risk appetite and overall cyber strategy to achieve target risk positions. This includes having a clear, pragmatic plan to address the priority risks that sets out the major remediation activities and capability building required to increase cyber resilience. This will help build confidence, set the narrative and secure the right level of investment. You will need to work strategically across the C-suite to help break down complex topics and make them digestible and intelligible for senior executives. 

2Do we have the right cyber security operating model with clear responsibilities between risk ownership, management, and oversight of the risk management process?

There should be clear ‘lines of defence’ for cyber risk management, with ownership of the risks and operation of the associated controls being separated from risk management oversight and governance.  

This is perhaps even more important for cyber security than in other areas of non-financial risk management, given the complexity of the threat landscape and diversity of the risks, which means that it isn’t always possible to objectively measure control effectiveness. 

3Are we fostering a culture of cyber security across the organisation?

Cyber defence must not just be seen as a security or IT exercise. Encourage executive teams and Boards to lead the security culture across the organisation, emphasising their understanding, communication and action on cyber security issues to the rest of the business.

4Do I have the necessary resources, skills and capabilities to mitigate cyber threats effectively? 

It’s likely that you’ll need to invest in training and development for your cyber security teams to handle sophisticated threats and new technologies. With cyber specialists in short supply, you can consider bringing in and upskilling talent in functions such as risk or IT. To enhance understanding across business leadership, you might also consider executive-level training and awareness sessions to better equip senior leaders to have productive conversations on cyber. 

5Are we aiming to partner with or police key cyber suppliers? 

You should ensure oversight and control over your most critical third-party relationships, such as conducting risk assessments and due diligence where possible, whilst ensuring robust security protocols are in place around sharing sensitive data. But more importantly, aim to build relationships and co-ordinated rehearsed response plans so that should the worst happen, you can collaborate effectively with your partners to contain incidents quickly and restore services. 

How Berkeley can help

At Berkeley, we have experience of helping CISOs answer these questions through all stages of their cyber journey. We can help you to:

• Define your cyber strategy to set clear goals and ensure alignment with business strategy 
• Deliver your cyber transformation programme 
• Deliver cyber resilience capability uplifts in areas such as executive training, incident response preparation and business continuity planning
• Deliver specific projects in your cyber portfolio that you may be struggling with
• Rebuild and strengthen your cyber capabilities post cyber-attack
• Provide cyber assurance to meet a range of internal and external demands including Section 166 regulatory reviews 
• Engage your executive team, Board and operational stakeholders on how to manage cyber risks effectively and increase your cyber resilience.