Risk Sign-Offs: A CISO’s Political Suit Of Armor


In the brutal world of corporate blame games, there’s no better scapegoat for a big time data breach than a CIO or CISO. When heads roll following breach fallout, more often than not it is a tech executive’s proverbial cranium spinning for the benefit of ticked off customers and shareholders. Look no further than Target’s former CIO Beth Jacob as a stark example of that. Jacob played the sacrificial lamb in her public resignation following Target’s massive breach. It’s a pretty familiar story for those of us who keep a close eye on the security scene.

Gartner even puts a number to it, finding that 75 percent of Chief Information Security Officers who experience publicly disclosed security breaches without having documented, tested response plans will also be canned, or invited to resign, as was likely the case for Jacob.

In many breach cases, these CIOs and CISOs did the best they could with the resources they had available to them. Tech executives tend to sleep lightly because they’re relying on quite a few forces outside of their control, be it lack of budget or lack of staff. But I might argue that many sacrificial lambs are justifiably canned. Not necessarily because of the breach per se, which is often the inevitable outcome of bad spending decisions. Instead, it is because they didn’t communicate the risk consequences of those decisions up to the people who made them.

I’m a big believer in residual risk statements and sign-offs. These statements directly tie specific budgetary decisions back to the residual risk they might be leaving on the table by not escalating using the right communication methods at the right time. These statements are what let CEOs, CFOs, and boards know specifically how their decision will affect the organization’s risk posture. They should be direct: ‘Here’s what the impact is going to be of cutting funding to XYZ program. Here’s the residual risk.’

And they should ask for a sign-off from someone up the food chain: ‘Given the residual risk, do you still want to make this decision?’ No matter the answer, the response to the residual risk statement should be logged and then the department moves on.

It is not up to the tech executive to assume the risk. But it is their job to connect the dots and inform people that the risk is present. Not only is this a critical step for mature, thoughtful risk management, but it is also amazing political battle armor for the beleaguered tech executive. That’s not saying that a cache of residual risk sign offs will save your bacon following a breach. But it sure can provide important career capital during an event’s postmortem.