This content is part of the Essential Guide: Managing information security amid new threats: A guide for CIOs
Manage Learn to apply best practices and optimize your operations.

CTO takes on cyberthreats with hybrid security built on risk profiling

A hybrid security defense begins by ranking potential risks by likelihood and impact, then hiring experts to shore up defenses.

When it comes to cybersecurity, an IT leader appears to have only three choices:

Niel NickolaisenNiel Nickolaisen

Become an expert. As cybersecurity experts, we can evaluate our security configurations, policies, practices and technologies, and know that we have mastered all potential threats. To do this, however, requires that we spend enough time on retaining and growing our expertise until this, potentially, becomes our only role.

Hire an expert. The outside expert can evaluate our configurations, policies, practices and technologies, and know that we are ready for all potential threats. This choice also gives us the option, in the event of a breach, of firing the expert who somehow allowed the breach. Of course, this person also has to keep abreast of the latest technologies, threats and policies. For many of us, our budgets might not be big enough to hire such expertise.

Rely on experts. In this choice, we choose the right experts and turn our cybersecurity over to them. This choice still gives us the option of having someone to fire if things do not go well. If we choose the right security providers, they will stay current on threats, remediation and technologies. But we are entirely dependent on them.

In our roles, we need to be familiar enough with security best practices that we can recognize their absence in what we do and in the expertise we hire.

There is another choice, however -- something of a hybrid security approach. In this approach, we rely on experts, but also ourselves. At some level, we should be defining and implementing best practices and policies. We then can supplement those with a reliance on the expertise of others. In our roles, we need to be familiar enough with those best practices that we can recognize their absence in what we do and in the expertise we hire.

Security risk assessment profiling

In one case, I took on a new role and needed to take a hard look at our security technologies, policies and processes. I am not an expert, but I do know that the starting point for anything related to security is a risk assessment. Before we selected and implemented technologies, processes and policies, we defined and profiled our risks. I used likelihood and impact as the dimensions of my security risk assessment.

We brainstormed all of the potential risks (a hack, a virus, an employee setting up a server outside the firewall and others), then assessed both the likelihood and impact of each potential risk. The combination of likelihood and impact determined the overall risk. We then put plans into place that mitigated the higher-level risks. Some of these plans relied on others' expertise. For example, I am not inclined to build my own antivirus system. For that, I rely on the expertise of others. I do the same for other parts of my risk mitigation plan. The security risk assessment helped us decide whether we had the expertise we needed to mitigate the risks or we needed to utilize outside expertise.

At the end of the entire process, we had a good, hybrid security approach that gave us the appropriate level of coverage -- based on our risk profile.

More IT leader security POVs

Security program is a competitive gain, not just a cost

IT leaders on overlooked cyberthreats

Cybersecurity advice from former White House CIO

As IT leaders, our role is to lead this process. That does not mean we have to be experts, but we do have to know enough to lead our teams to sound policies, practices and technologies. Where do we get such knowledge? I have found it useful to attend an occasional cybersecurity conference. The goal of the conference will be to frighten you, but it is still worth attending to see how the risks are changing. I also like to regularly do a cybersecurity project -- either by conforming to a standard or regulation or by meeting a customer's request. This gives the entire team the opportunity to think through, again, the risk profile and mitigation plans, and learn about the changing landscape of cybersecurity.

About the author:
Niel Nickolaisen is CTO at O.C. Tanner Co., a Salt Lake City-based human resources consulting company that designs and implements employee recognition programs. A frequent writer and speaker on transforming IT and IT leadership, Niel holds an M.S. degree in engineering from MIT, as well as an MBA degree and a B.S. degree in physics from Utah State University. You can contact Niel at

Dig Deeper on Enterprise information security management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Is a risk assessment your first step when you're asked to come up with a security plan?