With cyber security now a top-level issue for all organisations, ensuring board members and senior managers understand exactly what is happening is critical. Chief Information Security Officers (CISOs) must provide sufficient information to justify budgets without burying managers under mountains of unnecessary data. This can be a tricky balance to maintain.
To understand what information should be provided, CISOs need repeatable processes and an understanding of risk management. They need to know the priorities of board members and ensure they are talking about the same business objectives.
Focusing on the 'big picture'
It's easy to think a board will want to know about the hundreds of thousands of anti-malware alerts their company's security tools are generating. It's assumed this will demonstrate their value and why they were worth the cost.
However, while it’s true executives want to understand the high-impact risks being faced, the existence of hundreds and thousands of alerts don’t prove security is actually working. It becomes a “can’t see the forest for the trees” problem which may actually end up hiding truly high-risk issues.
Many organisations struggle with concerns that they might not have visibility into what is really going on in their environment. As mobility and cloud drive organisations to move more of their business systems off site, the unfortunate truth is that criminals have learned to adapt to this new environment just as quickly. The breadth of capabilities and commitment of the bad guys has changed seismically.
This is tough for executives outside the cyber world to understand. Five years ago, they signed the cheques for antivirus programs and a few hundred one-time password fobs. But now their security teams are demanding sandboxing, decryption capabilities, security analysis platforms and many other capabilities. The current threat landscape is now almost unrecognisable to the board.
Begin with setting the context
When the board asks for an update on the security risks faced by the organisation, it's important to remember the overall context of what they want to know. For this reason, always start at the top by tying issues flagged to existing company strategic objectives.
Explain how security issues can have an impact on everything from operations to customer confidence. Highlight particular areas of concern and how your proposed strategy and spending can alleviate risks.
If the security function is going to move to an integral business unit, boards will expect proactive engagement. In some organisations, security is evolving from an isolated function into horizontal workforces that are cross-functional. It then becomes intrinsically embedded in all business activity, removing the reactive nature common in isolated security structures.
Senior executives need to understand exactly where the security team is adding value. It's important to position it as a department of “no problem” rather than a department of “no way”. It must be seen as supporting business objectives rather than creating roadblocks.
For example, if the business objective is to improve customer satisfaction online, the security team can improve user authentication through unobtrusive, multi-factor authentication. If the CIO must reduce IT spend, the team can support a move to IaaS in a public cloud through a robust security architecture that maps controls from the existing on-premise environment.
It's only by aligning security objectives to business goals that the CISO and team can provide the metrics the board really wants to see. If this doesn't happen, the team risks just frantically waving around firewall logs and anti-malware reports, without giving the board any performance or risk indicators to suggest whether the situation is getting better or worse.
To ensure clear communication between security teams and board-level management, it's not the measurements that need to improve but rather the understanding of what is being measured and why. Typically, security metrics are used to:
- Justify expenditure
- Provide information about risks
- Show patterns and trends in attack traffic
- Report incident data
- Highlight strengths/weaknesses and gaps in capability
- Demonstrate compliance
Metrics should always support the strategic priorities of the organisation because, when they do, it shows the board that the security team shares its common interests. It allows both groups to talk the same language.
Understanding the board
People want to meet those who can make them look good across the business. While this might sound like a platitude, CISOs can use it to their advantage when working with the board. If you want to truly understand business objectives at a macro level, you need to get to know senior stakeholders and board members.
A typical board usually comprises six to 10 senior executives. Each of these people has their own motivations, style, idiosyncrasies and, most pertinently, their own objectives, financial goals, and priorities.
Risks, and therefore metrics, that resonate with one board member won't always resonate with another. While being invited to board meetings is a great way to provide an update and present findings, it's vital to first establish relationships with individuals.
Don’t be the boy who cried wolf
If the CISO continually tells their board that it's a case of 'when' and not 'if' the company's IT infrastructure will be compromised, some members might ask 'Why bother?'. They'll argue that, if the company is going to get breached anyway, they might as well save money on security.
This is why it is critical to back up claims and predictions with accurate and relevant metrics. Show the value that your cyber team brings in its ability to detect, contain, and prevent attacks.
Having a combination of quantitative and qualitative metrics that demonstrate value, risk mitigation, and due diligence will help this objective to be achieved.