CISOs today are challenged to report, measure, and demonstrate return on investment to the C-suite and board. CISOs must address these success enablers, because if they don't, they become silent killers. The lack of ability to report, measure, and demonstrate ROI has been keeping CISOs from a strong and enduring relationship with the C-suite.
The following is a high-level cycle of five success enablers. The first, if successfully set up, enables the second, and onward, with the last reinforcing the first.
1. Security Goals That Don't Resonate with the C-Suite and Board
We often hear: "Security is a journey, not a destination." That's a real problem for business executives because they're driven by results. They have a fiduciary duty to shareholders to get the most value from an investment. If CISOs have not established security goals that resonate with executives, there isn't a destination to showcase. In this way, security becomes a journey without a destination. Unfortunately, for CISOs that's often a journey to C-suite discontent and onward to a new organization.
CISOs should align their cyber resilience goals around business crown jewels. These are top-of-mind business assets that have executive and board-level significance and are clearly critical to business success. This way, it is crystal clear the value that security can provide and doesn't need to be supported with a regulatory and complex probabilistic impact argument.
2. A Strategy That Doesn't Clearly Interlink Height, Depth, and Breadth of Cyber Resilience
Most security strategies weakly establish the height, depth, and width of what we might call the "cyber resilience wall." This is an oversimplification in security terms but an easy way to connect with business leadership to agree on key concepts to frame impact control expectations and security costs.
Threat sophistication covers a full spectrum of capabilities — from accidental to nation-state. Commensurately, the sophistication necessary to counter them varies — as do the costs. Controls and control groups can calibrate costs to defend to various levels. And the CISO should be able to pitch cost levels of cyber resilience. Let's call this the height of the cyber resilience wall.
Not all security controls act in the same way. Some controls predict to help prioritize defences, prevent to stop/divert attacks, detect to alert responders, respond to handle attacks and impacts, and recovery to learn, recoup, and mitigate. Let's call this the depth of the wall.
The width of the cyber resilience wall is scope and coverage. Controls often don't have a firm grasp of scope (e.g., do I know where all the important data is?) and rarely achieve full coverage of known scope.
These three dimensions directly influence the business plan.
3. A Business Plan That Doesn't Provide the C-Suite with Clear Risk Appetite Choices
You buy "security" to protect against impact. You can do that by preventing the breach that leads to impact, or by handling the breach such that impact doesn't cross a line of "unacceptable" quantity. CISOs are poorly armed today to robustly justify the quantity of impact control that specific budgets can buy. And that's very frustrating for executives. Because there isn't a strong correlation between security investment and control of impact, it's easy to executives to cut budgets, or to under-budget, and not feel repercussions. This's why "risk appetite" has been so elusive.
4. Inconsistent SecOps KPIs, Metrics, and Reporting
Because most control leads and security frameworks largely focus on the technical side of security controls, they don't effectively run it like a business.
Consequently, security controls aren't measured to a core set of KPIs that accurately predict performance results. Security control KPIs are often inconsistently chosen and measured, and that leads to poorly calibrated, ineffective, inefficient controls, which often set a false sense of security, deliver weak cyber resilience results, and burn a lot of cash.
5. Inability to Show Results That Matter in a Convincing Manner
One of the best and clearest ways to show results is a well-structured set of red-team exercises.
Red teams can be particularly valuable because they can variably emulate threat sophistications and tactics, they can be multimodal (that is, cyber, physical, social), and be pace-throttled.
More importantly, they should aim at strategic security goals (with the ability to act variably and evaluate SecOps performance), robustly evaluate strategic priorities, and prove SecOps performance — down to the control and specific resources levels. In this way, red teams can be the objective rudder on the security program.
The Rodney Dangerfield Effect
If CISOs don't address these success enablers, they will have a difficult time propelling themselves to a position of appropriate influence or maintaining their position. They will then experience poor perception and traction, and frustration from executives. They may not receive the funding or resources they need, or executives won't be convinced they're delivering satisfactory results.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "10 Security 'Chestnuts' We Should Roast Over the Open Fire."