With large-scale cyber attacks becoming increasingly common, having an effective defence strategy in place has never been more important. A big challenge, however, is ensuring senior management fully understands the issue.
By its nature, cyber security is a complex topic. The rapidly evolving threat landscape and a constant flow of new tools makes keeping up a far from trivial task. Chief Information Security Officers (CISOs) face the additional challenge of clearly communicating the challenges faced and strategies required to their board of directors. C-suite executives need to fully understand what investments are required and why.
Using the right information
Senior managers love metrics that show levels of expenditure and returns on investment. They want to understand the types of threats their organisation is facing and what can be done to mitigate them. Unfortunately, however, this is often not the type of information that is provided to them by their CISO.
All too often they are given presentations that show the hundreds of thousands of anti-malware alerts that have occurred as evidence of a return on investments made in security tools. This, however, does little to help them understand the challenge faced by their security team and the steps that need to be taken to overcome it.
It's understandably tough for executives to fully understand IT security. Five years ago, they were signing cheques for antivirus programs and a few hundred one-time password fobs. Yet now their security teams are demanding sandboxing, decryption capabilities and security analysis platforms.
Boards are also grappling with factors such as increasing security regulations and constant media coverage of high-profile breaches. They realise they need to not only protect the reputation of their organisation but also their own personal brands. No one wants to be the person at the helm of a company that has been breached.
The job of the CISO is to make the C-suite feel prepared and briefed on the threats that can have an impact their organisations, and do this in a way that avoids esoteric geek-speak and is centred around information to which they can relate.
Begin with the context
When asked by the board to provide insight into the security challenge, a CISO needs to begin with the big picture. The discussion should start by relating the challenge to the organisation's long-term strategic objectives.
Security should be positioned in relation to goals such as achieving first-class customer service, keeping a lid on costs, and improving workplace productivity. Executives need to understand exactly how the security function can add value in these areas. The CISO needs to ensure that the C-suite views the security not as a “department of no” but rather as a department of “no problem.” They should understand the goal is to mitigate business risk rather than promise absolute security.
By adopting holistic security programs, the team should be able to support the organisation reach its business objectives. If the objective is to improve customer satisfaction online, the security team can improve user authentication through unobtrusive multi-factor authentication. If overall IT spending has to be cut, the team can support a move to IaaS in the public cloud through a robust security architecture that maps controls from the existing on-premise environment to the cloud. As a function, the team therefore evolves to become a trusted advisor and enabler.
The importance of metrics
By establishing business-aligned security objectives, the CISO and security team can then provide meaningful metrics to the C-suite, rather than just frantically waving around firewall logs and anti-malware reports. To achieve this, the team has to understand what needs to be measured, why it needs to be measured, and how measurements change over time.
Metrics can be used for a range of tasks. These include justifying expenditure, providing information about risks and highlighting patterns and trends in attack traffic. Metrics are also useful for reporting incident data and highlighting strengths, weaknesses and gaps in capability. They are also a valuable way to demonstrate compliance.
Metrics should always support the strategic priorities of the organisation. When they do, it shows the board that the security team shares its common interests. Done well, metrics allow both parties to speak the same language.
Getting to know the board
An organisation's board is not some collective, inanimate object. It probably comprises six to 10 senior executives, each with their own motivations, idiosyncrasies, objectives and priorities.
Risks, and therefore metrics, that resonate with one board member won't always resonate with another. While being invited to board meetings is a great way to provide an update and present findings, CISOs also need to establish relationships with individuals.
It's important to clearly communicate to each person the value that the IT and security teams deliver. The CISO must be in a position to demonstrate they can measure what matters and provide the board with an honest assessment of the level of protection there is for the organisation's critical assets and data.
If this can be clearly and consistently communicated, the CISO and security teams role will be understood and their contribution to the organisation valued at all times.