Develop your strategic thinking and governance capabilities. Evaluate business context to make executive-level information security decisions.
You are the Chief Information Security Officer (CISO) for Aegis Global Supply, a multinational logistics corporation. The company is aggressively launching a new, highly experimental "Automated Drone Delivery" division to compete in the last-mile delivery sector.
This new division utilizes untested IoT infrastructure and relies heavily on high-speed, edge-computing networks. The security engineering team has raised extreme concerns about the vulnerabilities in the proposed architecture, arguing it should be locked down entirely.
Business Objective: Launch the drone delivery service in three major metropolitan markets by Q4 to capture a 20% market share.
Strategic Tension: Strict security controls (encryption overhead, rigid authentication delays) will increase delivery times, destroying the competitive advantage of the drone service. However, a hijacked drone fleet could result in catastrophic liability.
Decision Constraint: Before you design the security architecture, you need to establish exactly how much risk the organization is willing to embrace to achieve these aggressive revenue targets.
You are in a governance committee meeting. The Security Architecture lead insists that "Security must set a zero-tolerance policy for drone network intrusion." You intervene, explaining that Security does not own the risk—the business does.
To properly calibrate your security strategy, you must identify which organizational entity is actually responsible for defining the risk appetite required to meet these strategic objectives.
Risk appetite is typically determined by which of the following organizational functions?
A frequent failure in corporate governance is allowing the Security or IT departments to dictate risk appetite. When Security sets the appetite, the default is almost always extreme risk aversion, which can stifle innovation and prevent the business from achieving its growth objectives (e.g., launching the drone fleet).
Security aims to protect assets; the business aims to generate value. Generating value inherently requires taking risks. The CCISO framework emphasizes that risk is a business issue, not just an IT issue. Therefore, the people responsible for generating the value must define the level of risk they are willing to stomach to do so.
If the Business Unit launching the drone fleet requires a high risk appetite to achieve speed-to-market, the CISO's job is not to say "no," but to design compensating controls that keep the residual risk within the boundaries of that stated appetite.
Business units determine the risk appetite because they are the risk owners. They manage the day-to-day operations, own the P&L (Profit & Loss), and define the strategic goals. They must determine what level of risk is acceptable to hit their operational targets. (Note: While the Board of Directors ultimately *approves* the enterprise-wide risk appetite statement, the functional determination and definition of operational risk appetite are driven by the business unit leaders/executive management).
B. Board of Directors: The Board's role is oversight and approval, not operational determination. They review the appetite proposed by management/business units to ensure it aligns with overarching shareholder interests, but they do not determine the ground-level risk required for specific business functions.
C. Audit and compliance: This is the "third line of defense." Audit provides independent assurance that risk is being managed according to the appetite. If Audit determined the appetite, it would violate segregation of duties.
D. Security: Security is an advisory and operational function (the second line of defense). Security measures risk and implements controls, but it does not own the risk or determine the business's appetite for it.
Explore more CCISO simulations and master Information Security Governance.
Continue Executive Training