Enron changed the world of finance and the energy industry forever, and the early days of the Equifax hack look as though this breach could change the face of the credit industry and cybersecurity forever. That a single company could amass so much financial information on an individual and be as poorly defended as it was just emphasizes the importance of communicating security and risk effectively to your Board of Directors.
As an infosec director, I’m often asked about the biggest challenges faced by CISOs. Again, and again, one key issue surfaces: the need for CISOs to deliver meaningful metrics to their Board of Directors. Boards that are not comprised of security professionals are increasingly funding new cybersecurity programs and initiatives without understanding what information they want or need. They call for metrics, and the CISO is left wondering which metrics to present that will mean something to the board.
To understand which metrics CISOs should deliver, CISOs need repeatable processes and an understanding of risk management. CISOs need to meet board members where they “live” — meaning they need to be talking about the same objectives if the metrics are to make sense.
The cyber boardroom backdrop: An evolving digital landscape
Boards want to know that the security tools they paid for are working. Unfortunately, security professionals are all too often presenting slides which show hundreds of thousands of anti-malware alerts to evidence return on investment.
Business leaders are more interested in are risks to their organizations than fancy threat dashboards. Executives want to understand the high-impact risks and impediments that get in the way of their companies being successful. But the fancy dashboard doesn’t prove that security is actually working. It’s a “can’t see the forest for the trees” problem — that is, the flurry of alerts and the charts we make to show them may be hiding the true high-risk security impacts.
And we’re right to be concerned that we aren’t measuring the things that matter. This comes at a time when organizations are undergoing digital transformation and taking more and more of their business to the cloud or environments they don’t completely control. Unfortunately, this transformation presents new opportunities for criminals too. The breadth of capabilities and commitment of the bad guys has changed seismically. This is tough for executives outside of the cyber world to understand. Five years ago, they signed the checks for antivirus programs and a few hundred one-time password fobs; now their security teams are demanding sandboxing, decryption capabilities, security analysis platforms, IPS. The threat landscape is now almost unrecognizable to that of yesteryear and increasingly difficult to convey at the board level.
Boards are also affected by increased security regulations, media coverage of security breaches, and embarrassment, and even a trip before a government panel when security fails. Board executives want to protect not only the reputation of their companies but also their own personal brands. No one want to be the person at the helm of a company that has been breached. Our job as security leaders is to make the C-suite feel prepared and briefed on the threats that can impact their organizations — and we need to do so in a way that avoids esoteric geek-speak and is centered around risks.
Getting a foot in the (boardroom) door: Start with the context
So, your board has asked you to update them on the organization’s security risks. What can you tell them that’s relevant to their viewpoints, and isn’t mired in geek-speak?
Start at the top. What are your company's strategic objectives? Is cost saving a priority? (Probably yes.)
Has customer confidence been hit recently due to bad press? Are particular regions under-performing? By understanding the direction in which the company is going, you can to contextualize where security can add value.
If the security function is going to move to an integral business unit, boards will expect proactive engagement. In some organizations, security is evolving from an isolated function into horizontal workforces that are cross-functional. Security is then intrinsically embedded in all business activity, removing the reactive nature common in isolated security structures.
Executives need to see and hear where we add value. Consider telling your team that their job is to enable their business to do what it want and needs to do, position the security department as a shift from the “department of no” to the enablers of “no problem.” Our job is to mitigate business risk decisions, not to promise absolute security.
Through holistic security programs, we should be able to provide our businesses with tools that enable them. If the business objective is to improve customer satisfaction online, we can improve user authentication through unobtrusive multi-factor authentication. If the CIO must reduce her IT spend, we can support a move to IaaS in the public cloud through a robust security architecture that maps controls from the existing on-premise environment to the cloud. As a function, we shift to the trusted advisor and enabler. We might not quite yet be able to implement entirely frictionless security, but it's something we're getting closer to.
Only through the establishment of business-aligned security objectives can we dream of providing valuable metrics. If we fail to go through this step, we’ll be caught in the position of frantically waving around firewall logs and anti-malware reports, without giving boards any performance or risk indicators to suggest whether the situation is getting better or worse.
What are metrics for anyway?
Metrics have to be meaningful. It's not the measurements we need to get better at, it's understanding what we're measuring, why we’re measuring, and how these measurements change periodically.
A metric is used to:
- Justify expenditure
- Provide information about risks
- Show patterns and trends in attack traffic
- Report incident data
- Highlight strengths/weaknesses – gaps in capability
- Demonstrate compliance
Metrics should always support the strategic priorities of the organization. When they do, it shows the boards that we (the security team) and they have common interests. Done well, metrics allow us to talk the same language.
To get to know your board members, take them for a coffee
If you want to truly understand business objectives at a macro level, you need to get to know senior stakeholders and board members. A tactic that has served me well is to offer coffee (there’s always a Starbucks nearby). Invariably, people want to meet people who can make them look good across the business. As the CISO, you fit into this camp.
Let's stop referring to “the board” as some collective, inanimate object. Your board is probably made of 6 to 10 senior executives. Each of these people have their own motivations, their own style, idiosyncrasies, and most pertinently: their own objectives, budgets, and priorities.
Risks, and therefore metrics, that resonate with one board member won't always resonate with another. While being invited to board meetings is a great way to provide an update and present findings, we need to establish relationships with individuals.
Don’t be the boy who cried wolf
If we go to our boards and blindly say, “It’s when, not if we are compromised,” then you are letting your board and shareholders down. Any astute business person will ask, “If it isn’t going to help, then why spend money on it?” At this point, it's important to show the value that your information and cyber team brings. Can you measure what matters, and give the board an honest assessment of how protected your most critical assets and data are? For this we need a combination of quantitative and qualitative metrics that demonstrate value, risk mitigation and due diligence.
In the next article, we’ll talk about a structured methodology for explaining what’s important to the business, and how to make sure that boards understand where the risks are.