As organizations are increasingly bombarded with requests for resources to help improve business functions, security teams struggle to standout. Often unable to appropriately communicate their needs and how they will contribute to the greater good of the company, they frequently lose out to their organizational counterparts.
As most cybersecurity professionals find, management typically isn’t able to identify a direct connection between business performance standards and security results until the worst happens – a data breach. Consider incidents of recent history. Most could have been avoided if only the correct protocols, tools and practices had been set in place.
Without the funding – and ultimately acknowledgement – from the executive level, more data breaches are inevitable. However, there are four major talking points IT teams can better communicate to avoid a catastrophic cyber incident before it’s too late: the outcomes, value, effectiveness and efficiency of a successful security program.
Outcomes
Before teams even begin to ask for investments, they must have a common language to understand what the business needs. Outcomes represent a plainly worded intent supported by a metric and includes any relevant qualifiers. An example outcome statement for an early maturity security program might be, “Minimize the number of employees and business processes disrupted in the event of a breach, such as ransomware.” The achievement is clear, the metric is clear and there is an example threat.
Outcomes are the foundation upon which you can build value, effectiveness, and efficiency. They are the bridge that covers the gap between business and security.
Value
The business value that security brings to the organization is risk and impact reduction. The security program exists to reduce the risk that a threat will disrupt business operations and limit the impact of a breach when it occurs.
One of the most poignant points to make right at the beginning is the serious, negative impact a cyber incident could have on an organization – especially regarding the reliability and availability of daily business operations. This will establish the initial risk score.
The second point to make is the impact of unmitigated cyber breaches. Consider analyzing recent examples of data breaches at similar companies and discuss the financial and reputational effects they had. It’s important to illustrate just how much not having financial or technical resources – or even staff – dedicated to security can seriously hurt them. This will establish the impact the business is willing to accept.
From there, provide visibility into how specific security practices and technologies can reduce risk and limit impact. For example, investing in email threat prevention technology will reduce the risk of falling victim to credential theft, unauthorized financial transactions and industrial espionage. Investing in endpoint detection and response technology, a trained SOC and incident responders will reduce the impact of those same threats.
Value doesn’t stop at investment. Business partners will want to see the return on their investment. They will look for metrics that demonstrate effectiveness and efficiency in attaining the risk and impact reduction you promised.
Effectiveness
To better communicate the effectiveness of investments, it’s important to establish an agreed upon outcome for the investment. Consider it a contract, it should be specific. In conversations with customers and partners, the number one outcome companies desired from these security programs was the ability to minimize the likelihood of threats going undetected and an environment being breached.
To minimize the likelihood of threats going undetected, best practices indicate applying layers of preventative controls, threat prevention and detection technology, and skilled staff. Initial metrics can be reporting on achieving those steps. To further demonstrate the effectiveness of these layers, consider using the MITRE ATT&CK framework to demonstrate how many attacker tactics and techniques that can be detected.
To minimize the likelihood of an environment being breached, best practices indicate user education and a threat hunting program to be effective solutions. Measuring the effectiveness of user education can be measured through training completion rates and failures in testing (like spear-phishing testing).
Threat hunting programs can measure the number of completed threat hunts, the number of new threat hunts and other significant findings.
Efficiency
Once the value and effectiveness against the business outcomes has been obtained, next is efficiency. It is intentionally placed as the last metric for good reason: security teams cannot mature what they don’t have. Establishing the controls and measuring their effectiveness against the threats that are targeting the organization will always be mission number one.
Efficiency is about cost and time savings in delivering on the outcomes. The greatest cost to any security program is the people, so we can use time to complete processes as the only measure. The measurements here are often in line with other standard business efficiency reporting. There are steps in a process, each step is measured and recorded, and once all the steps have been completed and the outcome achieved, sum up the steps as your efficiency metric for that outcome.
At some point, requests for staffing will be denied. This is the time to review your processes and efficiency metric to determine if there is room for automation, a much less significant investment, to free up time with existing staff.
It’s no secret that communicating the importance of security initiatives is a difficult challenge for professionals across the industry. When working with leadership that is constantly torn on where and how to invest resources, it’s essential for security teams to provide greater insights into cyber concerns at similar organizations, the threats posed to their own and how their department is helping to keep the business up and running.
By communicating the outcomes, value, effectiveness and efficiency of their contributions, teams increase their chances of proving their worth, making security a business priority and implementing a successful program.