Information Risk Management

How CISOs Can Build a True
Risk Management Function

The New Reality of
Information Risk

Data breaches and other information and technology incidents can cost upwards of a billion dollars, cause substantial damage to companies' reputation and brand, and cost executives their jobs.

With the rise of these information risks, the opportunities for the Chief Information Security Officers (CISOs) have changed dramatically. Information Security budget and headcount have increased more than 200% in the last four years. And the need for security is clear to business leaders – even up to boards of directors – who are now on notice that they have a fiduciary responsibility to manage information risk.

True Risk Management

Increased information risk, and increased focus on risk management, raises the stakes to manage the risk correctly. Information Security professionals often interpret "risk management" to mean "while risk can never be reduced to zero, our job is to reduce risk as much as possible." However, burdensome policies or controls can slow businesses down and excessive risk aversion can lead to poor strategic decisions.

True risk management means understanding that there is a correct level of risk, neither too high nor too low. Enterprises must ensure that risk decisions balance risk levels against the cost of risk reduction and the business benefits at stake.

From Risk Reduction to
Better Risk Decisions

To build a true risk management function drives good risk decisions, CISOs must:  

  1. Create a Business-Relevant Risk Management Framework: Ensure risk assessments are relevant by working top-down from business risks, rather than bottom-up from technical vulnerabilities.
  2. Define and Socialize Decision Rights: Identify the true owners of risk by mapping the types and sizes of risk to named roles in the organization who can – and must – take accountability for risk acceptance.
  3. Align to the Business’s Risk Appetite: Align to risk appetite, and support business partners in applying risk appetite to decision making.
  4. Formalize Interfaces with Other Risk Management Functions: Join forces with Legal, Compliance, Privacy, and other second-line-of-defense functions to present a single, simplified face to the business.

A New Approach

Adopting True Risk Management is more than a mindset shift, or a matter of a few policy changes. CISOs must rethink their approach to risk management, business engagement, and staff skills.

  • Information Security shifts to facilitating risk decisions by the true owners of risk.
  • Processes for risk assessment and controls recommendations are simplified for business partner understanding and participation.
  • Information Security expands engagement beyond IT and becomes embedded in business operations.
  • Security staff expand beyond technical and risk skills to include "soft" skills such as business results orientation, decision making, influencing, and organizational awareness.
  • The security function formalizes processes and policies with other risk management functions.

The Information Security Staff Competencies
That Matter Most

Sixty-seven percent of Security employees interact with someone outside the Security function every day. The Security function is shifting to a more consultative, integrated model—one in which behavioral competencies are the most critical factor in Security staff effectiveness.

The corporate athlete is a Security employee who can run fast, jump high; who is good at a variety of business functions and also has a strong security expertise.

Tony Spinelli
Former Senior Vice President, Chief Security Officer
Equifax, Inc.

Meet the Experts

Meet the team behind our Information Risk Management insights.

Jeremy Bergsman

IT Practice Leader, CEB Information Risk Leadership Council and CEB Enterprise Architecture Leadership Council

Read Biography

Andrew Horne

IT Practice Leader, CEB CIO Leadership Council


Read Biography

Mark Tonsetic

IT Practice Leader, CEB Infrastructure and Applications Leadership Council


Read Biography

Information Risk
Leadership Council

CEB Information Risk Leadership Council is a research service equipping security leaders with proven data, insights, and implementation tools. Curated member practices are informed by CEB’s ‘demand-side’ expertise and rigorously validated as best in class. Key benefits include:

  • Peer Benchmarks
  • Daily Security Briefing
  • Case Studies & Decision Frameworks
  • Implementation Toolkits
  • Executive Meetings
  • Advisory Services

[A lot of what] the big management consultancy companies tell you is based on guidance in terms of previous or historical experience. However, the insights from CEB look at what's happening now or in the near future—that's how CEB differs from other organizations.

David Robertson
Information Services Risk Authority

CISO Coalition™

CISO Coalition is an expert network of security leaders creating and refining approaches to information risk management. Direct collaboration allows rapid response to new and ongoing challenges where consultants do not have dynamic solutions. Key benefits include:

  • Pickup teams that collaborate on specific emerging threats
  • Weekly Help Desk
  • Daily Security Briefing
  • Peer-led webinars

CISO Coalition gave me a strong sense of community. We had an attack this year and reached out to our contact at CISO Coalition. Within five hours, 14 CISOs offered their guidance and their teams’ direct assistance to help.

Catharina “Dd” Budiharto
Director, Information Security
Chicago Bridge & Iron Company

CEB Cybersecurity

An intense 12-week online development program develops your risk managers, cybersecurity professionals, and teams  on what it means to think and act as a cybersecurity leader. This collaborative readiness program is led by Fortune 500 CISOs and peers who deliver their proven frameworks and insights on how to lead and secure a network and an organization—protecting data assets and the enterprise brand.

Decision-Making Tools


Information Security Strategy on a Page

How to communicate a clear, concise, and measurable strategy for the Information Security function

Case Studies

Defining Ownership of Risk Decisions

How Air Products built a framework to identify the true owners of risk to speed and improve decision quality.


Five Principles of Cybersecurity Board Presentations

Considerations and tips for presenting to the board of directors and senior leaders about cybersecurity

Unlock These
Resources Now

Contact Information

Professional Information

We value your privacy, and will not share your information without your consent.

Contact Information

Contact Information

Areas of Interest

We appreciate your interest in CEB. If necessary our team will be in touch soon.

Thank you,


Case Studies

Business-Driven Risk and Control Framework

TD Bank's end-to-end risk and control framework greatly reduced the level of effort required to complete risk assessments.

Driving Engagement Skills Down the Organization

Equifax drove higher performance and innovation levels by developing security skills throughout the Information Security function.

Success Stories

Phil Lucas
Head of IS Risk Management,
ABB Asea Brown Boveri Ltd.

ABB uses CEB to affirm strategic direction and stimulate cross-functional discussion.

Chris Seller
Head of Enterprise Infrastructure,
Westpac Banking

Westpac uses CEB to help make infrastructure decisions and mitigate risk.

Featured Press

Don’t Let Hackers Hold Your Business To Ransom

Ransomware is just one example of advanced, persistent cyber-threat that firms face. Here are four steps to reduce the threat ransomware poses to firms.

Addressing The Runaway Demand For Information Security

With organizations going through digital transformation,IT leaders must fundamentally change how information security services are delivered.

Security Talent Management for the Digitization Era

Three key shifts information security leaders must make to successfully compete for, hire, and manage the best talent for the digital era.

Security professionals at some of the largest organizations in the world have largely failed to capitalize on our combined knowledge to protect our respective environments. The CISO Coalition facilitates this very process in an organized and effective way.

Marc Varner
Global CISO

Recent Blog Posts