I believe this to be a combined effort between the system owner, CIO and Board/CEO. The system owner should always try to secure a system the best available tools, however, resources and budget might change the avaibility of this tools
It is like asking how much insurance do you need. It really is a call by the CEO and/or the board. System owner/CIO/ciro can only recommend
Depends on the risk. As with expenses, anyone beyond the CEO / Board has a level of risk they are willing to take on in their role. Once that level is defined, their job is to deliver the best approach. I personally try to insulate the company from any risk where I can either solve it through negotiation in the contract, or by providing an alternative up front. If I can’t see the way out clearly, I escalate and recommend.
It depends on the criticality of the system and the risk associated with it getting compromised. Generally, the mature organizations has some assessment matrix that helps quantify the risk and based on the severity it could be a simple decision by the CIO or a compound decision by CIO/CISO/and CEO. The end game is about risk mitigation and protecting company assets.
Corporate risk aptitude is set by board. CIO sets the guidelines for risk mitigations and CISO will oversee the solution implement to mitigate risk for individual systems.
This is a decision made by the business leadership (CEO, Board) based on feedback and guidance from the CISO. The cost of security is weighed against the potential cost of an incident and a business decision made. From what I have seen in recent large scale incidents, the cost of,potential incidents may be perceived as a cost of doing business and built in the pricing of the product or service. Take the Equifax breach. Huge in number and impact to consumers but little or no impact to Equifax. I can site many more examples like Target. I know this opinion is not popular.
I like what the others are saying; ultimate risk decisions belong to the Board, informed by the CISO and application owners. What's critical to examine are implicit risk decisions made by system owners, network resources, et al. who (innocently enough) choose to open a port, add a service, skip a patch, etc. - effectively making liberal risk decisions for the company without adequate oversight.
Its strange how the posts mostly say this is a board / CEO decision but the survey clicks point to CISO or CIO
I like what the others are saying; ultimate risk decisions belong to the Board, informed by the CISO and application owners. What’s critical to examine are implicit risk decisions made by system owners, network resources, et al. who (innocently enough) choose to open a port, add a service, skip a patch, etc. - effectively making liberal risk decisions for the company without adequate oversight.
We set ownership of risk as a combo of the CISO and the business owner. The CISO is the one who gets the call if there is an incident. The business owner gets asked the questions of why they prioritized the risk in a certain way and is responsible financially.
Organizations are beginning to add a Chief Risk Officer to look at how best to manage risks
All Organizations do not have a Chief Security Officer. In the absence of CISO, normally it is joint decision between CEO, CIO and probably an External Security Consulting Organization.
I think it depends on what the system is used for and what data it houses. If this is critical data to the organization or SPI data then I believe the CISO will make a recommendation to the CEO who can then either decide or seek advise from the Board. Securing your systems and data is so critical and one mistake can cost your company business, reputation or put you out of business.
I would add that the business owner has to be involve in this decision, because the cost of protection (controls) could be very expensive and may outweigh the benefits derived from that protection. In non-governmental organizations, you can't run a system (business) at a loss as a result of the cost of security controls. The risk acceptance or risk tolerance must be considered, and this involve, the CISO (or security folks), CIO, CEO, and the Board, depending on how critical the system is and the impact to the organization. When taking risk, it must be though out properly and involves the folks with the proper knowledge.