Welcome back to my blog series, the CISO’s View. In my last article, CISO’s View: Why an integrated approach matters, I stirred up the waters a bit by stating that the CISO’s first and most fundamental job is taking all this security data, threats, vulnerabilities, policy violations, and transforming it into business language that shows the impact to the company’s top and bottom line. Of course, the two camps of “Preventative focus” and “Detective focus” both scratched their heads and went “Metrics?” Let’s dig a little deeper into what I mean by metrics as the foundational layer of a security program, the types of metrics and their respective audience, building a metrics program, and integrating metrics into automated IT & business controls. Hopefully, by the time we are done, you too will agree that metrics are the foundation of a successful security program that is viewed as a strategic business enabler.
Why Metrics As the Foundation?
Have you ever heard or said the following?:
- I can’t get the business to fund my security project.
- My security budget is too small.
- I don’t have enough people to do the work.
- The business won’t listen to security requirements.
- People just don’t get security.
Let’s face it, perception matters. As a professional working every day in the trenches attempting to protect our companies, we live with gaps in our protections and see the impact they have on the business. We can all point to the news articles of companies being breached left and right and cry “we could be next!” The problem of perception is until that happens, the CEO and the board look back over the last 10, 20, or 30 years and know that it didn’t happen. So the perception is that we are the “one who cried wolf.” If we didn’t spend the money before and nothing happened, why should we spend money now? We’ve trained our companies to look for the big bang, while the truth of the matter is the company whimpers over minor losses every day. The sky isn’t falling, but our company’s foundation is crumbling under our feet.
Don’t Be the One Who Cried Wolf
What do I mean by a crumbling foundation? Our companies are being attacked all day, every day in such volume that we now consider this activity to be noise we filter out so we can look for the “real” threat. Systems become infected, data is lost, performance is compromised, and people are so focused on applying patches they can’t focus on business value opportunities – these are the daily whimpers that are slowly killing our company. Yet, we don’t appropriately report the impact of this activity to drive change because we want to show we’ve prevented the “real” threats.
Noise Versus Value
If you look at the debate over “Preventative versus Detective focus” you’d think that security is only a technical issue to be addressed; that the security “threat” is something that can be solved if we’d just find and implement the right technical solution. Like other forms of business risk, the core human nature to seek out the easy path instead of the ethical one – crime – isn’t something that can be solved, only managed. By divorcing “Cyber Security” from the other forms of business risk as somehow special and deserving of its own lexicon of terms, we’ve disconnected our activities from how we positively impact our company’s performance. This is what I meant in my last article where I said security is a cultural issue. It’s an issue of our own creation and we have to be the ones to start the cultural change through how we communicate. The choice of the metrics we communicate to the enterprise as a whole is the foundation of this change with the benefit of changing the perception from “Crying wolf” to security for strategic value.
So How Do We Change?
We need to accept that our mandate isn’t one focused on finding technical solutions or “solving” the security threat, but helping drive corporate strategy through sound risk management practices that maximizes value directly tied to the enterprise top and bottom lines. Once we do this, our focus and communication strategy will shift from technical control performance to business level performance. Our core, high-level security metrics become incorporated into the enterprise execution on strategy reporting just like every other business unit. The goal being a chain of metrics that start at the specific technical control and ultimately roll up towards how it impacts the enterprise execution. Once this framework is achieved, budgets are justified and right-sized based on value delivered. We shift from the “It could happen to us!” towards being able to show – not tell – how if we spend X we will deliver Y value.
In part 2, we will shift from why metrics towards how do we actually create metrics aligned to the company strategy that shows value delivered. In part 3, we will then tie everything together showing how to communicate those metrics and leverage them in the lifecycle of a successful security program.