Written by Tomas Honzak |
For those of us in the information security sphere, potential breaches and new regulations like GDPR are always top of mind, as are ways to continuously improve the security measures our companies already have in place. But outside the realm of security, the rest of the business operates fairly independently, and it can be challenging to help our colleagues—most of whom don’t (and shouldn’t!) spend all day thinking about security threats—understand the security risks and how to mitigate them.
Kevin Townsend recently wrote about the need to address the gap that exists between security teams and the rest of the business, and how CISOs are always striving to balance cybersecurity metrics with business needs. In particular, he cited a recent survey by security firm Varonis that found that the business and their security teams are not fully aligned.
I often get questions about this lack of alignment. How do you talk to the business about security in a way that makes sense to them? Typically, metrics are suggested as a way to present information in a clear, easy-to-understand manner, and they can be a great option for CISOs looking to get their point across. However, I find there are two primary challenges with this approach.
1. Get the Right Data to the Right Audience at the Right Time
The first challenge is that while the security team consists of security experts, they’re not also experts in every part of the business. They may not know or understand which security metrics would be most beneficial for a certain business function to see, or they may not know the best way to present the metrics they’ve identified. Maybe a CFO is more interested in metrics regarding risk that could more directly impact the bottomline starting in Q1 next year. Or maybe the marketing team is more interested in metrics that highlight risks to personal data, a leak of which could damage the company’s reputation. An experienced CISO is well aware of that, however in can be hard to make the right messages visible in the vast amount of global security metrics.
One way to address this challenge is to introduce a platform that can do all of this for them — collect data on individual metrics, analyze it, and distribute the results via reports which are customized for the recipient. Products like this remove much of the burden of metric translation and distribution from CISOs, who are then free to focus on alignment around the security risks with their business counterparts instead of on analyzing and building custom reports.
2. Security teams need to avoid making colleagues “burned out” on security topics
Second, CISOs should strive to keep security updates relevant and timely, so metrics presentations and reporting should be presented rarely. Unless there is a critical issue or significant business transformation, an annual presentation of the key trends, evolution of the threat landscape, and strategic security plans are all that the board should be receiving from security.
Many of my fellow CISOs feel that the board needs to receive security metrics often enough to show trends and keep security top of mind, but my main concern is fatigue. The board needs to be steering the company and not reviewing operational reports. Ideally, if all is going as it should, there should be very little in the way of security updates. If I’m constantly giving presentations or updates that only reinforce messages that the business has already heard, and there is no call for action on the board level, then I may be less likely to be taken seriously if I do need something. In the end, the risk of e not getting the immediate attention would have grave consequences.
However, it was clear to me from the conversations with my fellow CISOs that decisions in this area really vary. What’s necessary or best practice will depend on the sector, company size, maturity of the security in the company and a number of other factors. What’s important is finding and using metrics that not only speak clearly to the recipient and, more important, are relevant and actionable. Only then do the security KPIs support proper alignment between security and the business to minimize risk for the long term.
Written by Tomas Honzak |