Welcome back to my blog series, the CISO’s View. We started with CISO’s View: Metrics, Part 1, looking at metrics and why they are the foundation of a successful security program. In CISO’s View: Metrics Part 2, we figured out how to create metrics that are tied to the company strategy and show the value the security program delivers. Today, we’ll look at how we leverage metrics to effectively communicate to the business and how they tie into the security program lifecycle. Hopefully, by the time we are done, you too will agree that metrics are the foundation of a successful security program that is viewed as a strategic business enabler.
Glad that you’ve made it this far. We’ve spent two articles on the details on how to generate metrics without covering how it all comes together into something we can use.
Welcome to the joys of reporting.
- Every executive wants to understand how their business is performing, identify hot spots, problem areas, and emerging opportunities – and they want to do it right now without endless status update meetings or annual reporting.
- All directors and managers want to know how their area is performing and what they can do to improve the value they deliver.
- Every IT cost center wants to communicate the technical performance issues the applications and processes are experiencing in a way that can show why the business should take action.
- Security wants to show the value of all the work they do day to day ensuring nothing bad happens.
This is the value of a Single View into the Business Execution that allows anyone to either drill down from strategic execution performance to the underlying cause or allows the IT operator to follow the chain upwards from the IT issue they are experiencing to explain the business impact if the issue isn’t resolved.
Use Within the Security Program Lifecycle
Back at the beginning of this series, I claimed that metrics was the foundation of a successful security program. Let’s put all the pieces together and show you why by integrating our metrics platform into a successful program lifecycle.
Defending the Program
Unless you’re one of the lucky few, you’ve probably inherited an existing security program with investments in security tools and a reputation with the organization. The program was either well managed or you’ve just inherited a mess. Regardless, your first job is to justify your program’s existence and budget. A well-run business manages its limited resources to ensure they are delivering the maximum value to the business. This means effectively communicating the value of the investment by showing where their resources are being used and the return on that investment. This is the first step of changing the culture from one where security is viewed as something that has to exist to-check-the-box to one where the business sees it as a strategic value worth continued investment.
Managing the Program
On a continuous basis, you need to understand how your program is performing as the threat landscape changes and other external pressures are applied to the company. You need to identify inefficiencies and issues before they can grow into major issues. As the year progresses you need to understand where you should deprecate tools that aren’t delivering value, where increased headcount can have maximum impact, rightsize spending on existing solutions, and where new investments can show maximum value.
Now that you’ve gotten a handle on your security program and know where to invest in growth areas, you get to play project funding – survivor island addition – where your project requests are pooled with all the other company requests and reviewed to see which lucky few get funded. If your project requests are in the form of, “you have to do this because the sky could fall,” and the rest of the requests are in the form of, “if we spend X we will see return Y,” no wonder you have a hard time getting your initiatives funded.
Time for bonus points. Instead of waiting until the budget season to start justifying your existence, you’ve enabled the business with the Single View of Business Execution so they already know the value of your program and can see for themselves the strategic value it delivers. Now, instead of needing to defend your budget, you can instead show what areas makes sense for continued growth.
Metrics, right? I started out claiming that metrics were the foundation of a successful security program. We went into detail on how to discover the right metrics to communicate, how to measure, where to find the right data, and how to automate collection and reporting. Along the way, I’ve hopefully shown you that metrics are not foundational to security, they are the core component of a modern data application driven company.