There is time between those risk management milestones. During that time, risk is in limbo. During that limbo, it’s the CISO that owns the risk. Orchestrating the transfer of risk to the appropriate risk owner is one of the most under appreciated things that a CISO does.
Here’s a hypothetical example: let’s say that there is an operating system. We’ll call it the Dominant Operating and Organizational Running System or D.O.O.R.S. for short. Let’s say D.O.O.R.S. 2004 is going end of life, end of support sometime soon. Having servers running that system represents risk to the organization once you’re past that date. The CISO is one of the champions for getting the systems upgraded.
By policy, the upgrades must take place before the end of life date, but that is not always possible. D.O.O.R.S. is not called “dominant” for nothing and it will take considerable resources to put all the different systems through change control. It may even be that some mission critical applications will not run on newer versions of D.O.O.R.S. . So, the organization may be at risk after the end of life date comes and goes. Some servers may just not be upgraded.
If you have a rigorous risk management program, the list of those servers and the applications that run on them has been presented to the appropriate stakeholders and the risk of leaving them un-upgraded for a certain amount of time has been accepted.
Two months later, after all the other serves have been upgraded, someone finds another server running D.O.O.R.S. 2004. This is new risk. The time between when that server is discovered and when it gets brought to the stakeholders for them to approve the risk is in that limbo. That time is when the CISO owns the risk even if, strictly speaking, the governance program does not allow that.
Every day, CISOs are making the call choosing between managing how those risks are accepted or jumping up and down and saying those newly discovered risks are unacceptable.
When you ask a CISO what keeps them up at night, it probably isn’t those “risks in limbo.” Still, if we seem a bit twitchy, that might be why.