What, then, is the best way for today's CSOs and CISOs to move forward?
There is plenty of advice on that front. Several ERM frameworks offer detailed instructions on the process of implementing successful risk management. But experts like Cowperthwaite advise being wary of the frameworks, arguing that they are mainly about compliance with regulations.
Compliance goals are worthwhile, he says, as part of due diligence and accepted practice, "but that's not real risk management."
"A risk-based program should fundamentally ask itself, 'What things pose a threat that I'm vulnerable to, and how will I solve it so I reduce my vulnerability or the threat?"
As an example, he notes that a given person could be killed by someone with a gun. Compliance might dictate that he wear a bulletproof vest. By contrast, a risk-management approach would ask if there is somebody who is a threat to that person, who owns gun and doesn't like him.
"There are lots of ways to deal with that," he said. "You could take the gun away, wear a vest, or not go out in public. But were only going to solve the problem if we think of both the vulnerability and the threat."
Stiennon argues that the job of the CSO is not so much to evaluate risk as it is to practice threat management, which he says means, Look at that attack surface from the perspective of the attacker. First, his targeting and valuation of assets may well be completely different than the valuations of the defender.
"Second, the attacker is not perturbed by perfectly patched systems. He either uses a zero-day vulnerability that cannot be known or protected against, or he targets the individuals that have access to the target data and uses their authenticated, authorized access to steal what he is after."
The way to do that, he said, is to use published reports and information-sharing teams to "get a step ahead of the attackers by researching their methods and targets. Assign responsibility to a team to thwart targeted attacks. Do this outside the risk-management team."
Cianfrocca said he sees reason for optimism.
"Some industries - large manufacturing, military and critical infrastructure -are becoming aware that their existing practices are not good enough," he said.
"It's fascinating to me that the urgency is very high. It's like seeing elephants dancing."
Sign up for Computerworld eNewsletters.