This is a great analogy for what I still see taking place in many organizations -- the CISO signing off on policy exceptions and risk acceptances. As Jack (the other Jack) points out in his article, this is inappropriate and problematic for many reasons. When I was a CISO I changed the process such that my signature on these types of documents was an attestation that the business executive who was accepting risk had been provided an accurate description of the risk they were accepting and the alternatives they had before them. Their signature documented their accountability for the decision. At first this was not a popular change in the process because my business colleagues often wanted someone else's (my) head on the chopping block if things turned out badly. But they came around. The outcome was that they thought a little harder about these decisions and asked more questions. It also improved our relationship because my team wan't viewed as an obstacle -- someone to be bullied or cajoled into signing-off. We were viewed as educators, problem solvers and facilitators.
Risk executive translating cyber security into business priorities - Cyber CRO, Award Winning Author, and Global Keynote Speaker - 3x F100, 3x Startup
The Risk Sin Eater
Really nice analogy. I think the article captured key aspects of making risk decisions well. I would propose that one additional reason for risk sin eating remaining as a practice is rooted in the belief - by other senior executives - that delegation to the risk manager is the defensible, not unlike the "advice of counsel" legal defense. I think Jack captured the outcome of this on the latter part of the article, but not the original reason. As always, I keep learning so much on this from you and others. Thank you!!!
The role of a risk professional is not to owned all the risks, but make sure all the risks are owned (by 1st line of defense / the risk owner because without their activities, risks wouldn't be created in the first place).
Saw this first hand when Kim Jones changed the culture at Vantiv/Worldpay and moved the needle from risk acceptances being a rubber stamp to business/IT leaders having to go in front of Carlos Lima to explain why they needed a second renewal on a risk acceptance. It drove the business to see us as allies not a road block and to actually fix issues
If all leaders were like Jack Jones, companies would run a lot more smoothly.
Truly appreciate a great analogy!! It has to be a team effort rather than an oversight of an individual
I remember this well. Switching from “security exception” to “risk acception” and how it changed how the other executives thought about the things they were “approving”
Great analogy and enjoyed the linked article. The title reminded me of the season of Fargo (solid series for the most part) with the villain Ole Munch…who was a sin eater.
I love this story about the risk-sin eater, food for thought for other business risk beyond cybersecurity!
Experts need to advise, execs need to accept documented risk in line with Board risk appetite and KPIs, with an auditable trail. This process should involve Council of experts in privacy, legal, AI, security, accessibility, and more.
Innovative and Trusted Cybersecurity Leader. Technology Board Member. Community Volunteer. Eternally curious.
3wYes! CISOs can advise and need to influence but cannot fundamentally own risks based upon decisions by counterparts. This is where I really like the notion of cyber and risk practitioners as trusted advisors, akin to a financial consultant. One can advise on probability and methods to achieve a goal (or protect from harm), but ultimately it’s in the hands of the individuals making investment decisions.