Information Risk Management

How CISOs Can Build a True
Risk Management Function

The New

Data breaches and other information and technology incidents can cost upwards of a billion dollars, cause substantial damage to companies' reputation and brand, and cost executives their jobs.

With the rise of these information risks, the opportunities for the Chief Information Security Officers (CISOs) have changed dramatically. Information Security budget and headcount have increased more than 200% in the last four years. And the need for security is clear to business leaders – even up to boards of directors – who are now on notice that they have a fiduciary responsibility to manage information risk.

True Risk Management

True risk management means understanding that there is a correct level of risk, neither too high nor too low.

Burdensome policies or controls can slow businesses down and excessive risk aversion can lead to poor strategic decisions. Enterprises must ensure that risk decisions balance risk levels against the cost of risk reduction and the business benefits at stake.

From Risk Reduction to
Better Risk Decisions

To build a true risk management function that drives good risk decisions, CISOs must:  

  1. Create a Business-Relevant Risk Management Framework
  2. Define and Socialize Decision Rights
  3. Align to the Business’s Risk Appetite
  4. Formalize Interfaces with Other Risk Management Functions

A New Approach

Adopting True Risk Management is more than a matter of a few policy changes. CISOs must rethink their approach.

  • Information Security shifts to facilitating risk decisions by the true owners of risk.
  • Processes are simplified for business partner participation.
  • Information Security expands engagement beyond IT and becomes embedded in business operations.
  • Security staff expand skills to include "soft" skills, such as business results orientation and organizational awareness.
  • The security function formalizes processes with other risk management functions.

Staff Competencies
That Matter Most

Sixty-seven percent of Security employees interact with someone outside the Security function every day. The Security function is shifting to a more consultative, integrated model—one in which behavioral competencies are the most critical factor in Security staff effectiveness.

The Product

Team Solutions Plus

We empower you and your team to succeed on your key initiatives and projects. All Team Solutions Plus products, available at multiple levels, offer shared access to targeted research and insights, expert research advisors and practitioner perspectives in order to:

  • Make more informed decisions 
  • Work more efficiently as a team
  • Drive better business results faster

CISO Coalition™

An expert network of security leaders creating and refining approaches to information risk management. Key benefits include:

  • Pickup teams that collaborate on specific emerging threats
  • Weekly Help Desk
  • Daily Security Briefing
  • Peer-led webinars

“We had an attack this year and reached out to our contact at CISO Coalition. Within five hours, 14 CISOs offered us their guidance.”

Catharina “Dd” Budiharto
Director, Information Security
Chicago Bridge & Iron Company

Leadership Academy

An intense 12-week online development program develops your risk managers, cybersecurity professionals, and teams  on what it means to think and act as a cybersecurity leader. 

This collaborative readiness program is led by Fortune 500 CISOs and peers who deliver their proven frameworks and insights on how to protect data assets and the enterprise brand.

Meet the Experts

Meet the team behind our Information Risk Management insights.

Jeremy Bergsman

IT Practice Leader

Read Biography

Andrew Horne

IT Practice Leader

Read Biography

Decision-Making Resources


Information Security Strategy on a Page

How to communicate a clear, concise, and measurable strategy for the Information Security function

Case Studies

Defining Ownership of Risk Decisions

How Air Products built a framework to identify the true owners of risk to speed and improve decision quality.


Five Principles of Cybersecurity Board Presentations

Considerations and tips for presenting to the board of directors and senior leaders about cybersecurity

Unlock These
Resources Now

Company Information

Professional Information

We value your privacy, and will not share your information without your consent. CEB's Privacy Policy.

Company Information

Company Information

Primary Interest

We appreciate your interest in CEB. If necessary our team will be in touch soon.

Thank you,


Success Stories


Recent Blog Posts

Featured Press

Don’t Let Hackers Hold Your Business To Ransom

Ransomware is just one example of advanced, persistent cyber-threat that firms face. Here are four steps to reduce the threat ransomware poses to firms.

Addressing The Runaway Demand For Information Security

With organizations going through digital transformation,IT leaders must fundamentally change how information security services are delivered.

Security Talent Management for the Digitization Era

Three key shifts information security leaders must make to successfully compete for, hire, and manage the best talent for the digital era.

“The CISO Coalition helps security professionals to capitalize on our combined knowledge to protect our respective environments. ”

Marc Varner
Global CISO