ISACA Journal
Volume 2, 2,016 


Information Security Matters: Weary Willie’s Guide to Cyberrisk Management 

Steven J. Ross, CISA, CISSP, MBCP 

Podcast  New!
ISACA Journal Volume 2 Podcast:  Weary Willie’s Guide to Cyberrisk Management

Clowning is almost dead as an art form.1 But when I was a kid, there was one clown in particular known and loved by all: Emmett Kelly.2 He played a sad-faced, down-and-outer called Weary Willie who tugged at our heartstrings while making us laugh. His most famous act concerned a spotlight. It would follow him wherever he went and he could not shake it. Willie came up with an idea: He would make it smaller and smaller, but then it would suddenly get larger and stickier. Finally he was able to make it small enough that he could hide it under a carpet.

Looking at Emmett Kelly’s shtick after all these years made me think about cybersecurity. Now, the mind works in curious ways, and mine more so than most. I am probably the only one who sees cybersecurity in a clown’s act. What Weary Willie was telling me is that if we cannot eliminate a problem, we should make it small enough that it becomes manageable.

As long as terror, crime and general malice exist, there are going to be bad people doing bad things. We security professionals are not going to be able to solve all threats to information all the time. But it does not stop us from trying, sometimes one step ahead of the bad guys, sometimes two behind. It certainly seems that current events have us a few steps back. Like Willie, we are stuck with a problem that just seems to get bigger and that cannot be shed.

We need to make cyberrisk more manageable in our personal lives, in our businesses and in society at large. We security professionals cannot do it all ourselves. Unlike Willie, we need some help. Let us consider some of the members of the team who have to work together to contain the problem.

Weary Willie’s Team

If we want to manage risk, we are in the domain of the risk manager, which, while a bit self-referential, is also a bit problematic. Some risk managers are senior executives who treat all potential sources of harm across an enterprise; others are little more than insurance buyers. A true manager of risk should consider all aspects of the threats cyberattacks pose to an organization and devise approaches to transfer and control the hazards, accepting the rest in an informed manner.

There is a vibrant market for cyberinsurance, although it has not reached anything near maturity. According to Statista, an industry statistics organization, 48 percent of worldwide companies carried insurance against data breaches in 2014, down from 54 percent the year before.3 This may reflect growing wariness with the inclusions and exclusions available in commercial coverage. As for controlling the risk, there is little the risk manager can do except to point to IT to come up with solutions.

The chief information officer (CIO) is an obvious member of Willie’s team. Some contend that dealing with the threat of cyberattacks empowers a CIO.4 But in conversations I have had with CIOs in recent months, there is more of a sense of frustration. As the subject has received increased attention, especially at the board level,5 cybersecurity is consuming a greater proportion of CIOs’ time and attention. There is an attendant concern that other aspects of their jobs are suffering correspondingly. Improved service, new applications and cost reduction are usually the measures of CIOs’ performance, and some are worried that these are being overlooked.

In most cases, information security falls under a CIO, but there are some who see this as a conflict of interest. In the battle for budget, cybersecurity seems to some CIOs to overwhelm everything else.6 For most informed observers, the chief information security officer (CISO) is the leader in the fight against cyberattacks. In fact, one study indicates that the appointment of a CISO is a major factor in limiting the cost of data breaches.7 Rather than a conflict of interest, I see a partnership between a CISO and a CIO in managing cyberrisk. However, it is an unequal partnership, in that a CIO usually controls the budget and, therefore, the resources available to a CISO.

Managing Cyberrisk

These and other members of Willie’s team share the responsibility for making cyberthreats manageable. What would manageable cyberrisk look like?

Trusted images of all software would be regularly updated and stored in such a manner that they would not be externally accessible. There would be a cadre of specialists analyzing system data from across an enterprise monitoring those systems for cyberattacks. These same specialists would drill routinely, validating the trusted images and in recovering software and data as quickly as possible.8

Most important, they would manage the business impact of cyberattacks. Widespread encryption would limit the risk of information theft. A cyberrecovery plan9 would speed the return to normal operations following an attack that manipulated or destroyed systems and information.

Therein lies the axis around which cyberrisk management must spin. If the risk is to be made manageable, organizations must determine how much harm, financial and otherwise, they can tolerate from cybercriminals, governments and terrorists. Zero is not a meaningful answer. As with other threats, total elimination is neither affordable nor attainable. A risk manager can lead the effort to determine a reasonable level, which will require a CIO and a CISO to determine the cost of implementing the necessary solutions. (Of course, this is an iterative process. If the cost is too high, risk management must reconsider its definition of tolerability. There is nothing new or “cyber” about this process.)

Based on the products available in the marketplace to deal with cybersecurity, interest in prevention and detection far outstrips those for recovery. If the threat of cyberattacks is to become more manageable, recoverability will need to be more central to the overall program. That was not a part of Weary Willie’s approach and this is where Willie and I part company. He swept it under the rug. I prefer to recognize the magnitude of the problem, accept it and manage it.

Author’s Note

I encourage you and all readers to provide feedback. Please visit my article online at, use the comments section and I will respond to you there. Let us keep the discussion going!


1 Sager, M.; “The Life of a Clown,” Esquire, June/July 2015,
2 This article will make more sense and be a lot more enjoyable if you take a look at
3 Statista, Statistics and Facts on Cyber Insurance,
4 Deloitte Australia, “Cyber Security, Empowering the CIO,” 2014,
5 ISACA, Cybersecurity: What the Board of Directors Needs to Ask, USA, 2014, There is a great deal of attention being given to the role of a Board of Directors (BoD) in cybersecurity. I am of the somewhat contrarian point of view that a BoD should accept the reality of the risk, fund the solutions and get out of the specialists’ way.
6 Stanganelli, J.; “Cyber Security And The CIO: Changing The Conversation,” Information Week, 2 June 2015,
7 Ponemon Institute, 2015 Cost of Data Breach Study: Global Analysis, May 2013, p. 13,
8 I have previously called these specialists CyberCERTs in an article by that name. Ross, S.; “CyberCERT,” ISACA Journal, vol. 5, 2014,
9 The US National Institute of Standards and Technology’s (NIST) Cybersecurity Framework calls for such a plan, without defining what it is or what it would contain. National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, USA, 2013, p. 34, See also my previous article, Ross, S.; “Frameworkers of the World, Unite Part 2,” ISACA Journal, vol. 3, 2015,

Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.