Owning cyber risk

Some time ago I got talking to a colleague about “ownership” of risks. Now I don’t like the idea of a risk as a tangible thing that can be counted as a single item, but it’s true that any software system has problems which could do with being addressed, and some of these are what some people call “cyber risk”. That is, the kind of thing that might damage our information systems or the data they hold.

Traditionally, once we’ve listed these intangible things, an “owner” is allocated. Who should that be?

Well, it depends on what the responsibilities of an owner are. If it’s about understanding it, then a technical person would probably be good. But if ownership is about getting it fixed, who then?

In digital product organisations it’s often not the technical people who decide priorities—that’s often a product manager. If we’re talking about really big issues, priorities sit with a department head or board director.

It might seem odd for such a person to own something “cyber” like a distributed denial of service attack, or two factor authentication, but we should remember why we’re worried about these things. It’s because they may compromise our business or our business goals. And all kinds of other worries impact that, too—hiring too quickly (or too slowly), launching a product late, not having the right features, a poor culture that punishes those who question authority, and so on. And when we consider all those things we have to think about trade-offs.

So if ownership is about “getting it done” then perhaps it’s best owned by whoever oversees those trade-offs. That person should be aware of the those “cyber” concerns as well as organisational, financial and other concerns. It’s a balancing act.

That’s why, if those concerns sit at the product level then it’s the priority call of a product manager. If they sit at the department level then it’s a department head. And so on.

These kind of technical issues are most deeply understood by technical experts. But the technical experts have a responsibility to explain them to those who make trade-offs on the priorities. And then those people need to make what is, in the end, a business decision.

Photo by Henri Bergius