Overcoming the communication gap between security teams and the board of directors continues to be a crucial challenge for CISOs. If the board doesn’t clearly understand the ROI on security investments and what business-critical problems the program is solving, CISOs may struggle to obtain the support they need.
As many companies look to tighten budgets going into 2021 amid an economic recession, it’s more important than ever to communicate security ROI in a language the board understands.
The key to closing this gap is for CISOs to anticipate what the board really cares about and come prepared with straightforward metrics to address these priorities. Here are a few ways CISOs can directly address the top board-level security concerns to ensure the program gets the budget it needs to mature.
Start simple: where are the greatest risks and how are you reducing them?
The first step in getting board buy-in for the security program is to give them a full picture of what the business risks are and where the biggest vulnerabilities lie, ranked by potential business impact. This is why visibility is so essential: you can’t protect what you can’t see. Demonstrate this at the next board meeting with metrics around how much of the security environment the program can actually see.
One way to do this is to compare how many systems are in place with how many of these systems are logging. Calculate this percentage across all of the various environment types (cloud, on prem, PCI or HIPAA environments, etc).
It is also essential to understand your visibility into known threats. By analyzing your current use cases and mapping against established frameworks like MITRE ATT&CK or NIST, security leaders can identify whether the controls are in place to mitigate the most common threats to the business.
By communicating how much of your environment you can see and the percentage of MITRE ATTACK techniques you can detect, it is easy to help non-security professionals quickly see where there are gaps and gain buy-in around initiatives including new technology or prioritizing IT teams.
Clearly communicate the level of protection
Is your company protected from breaches? While it may be impossible to definitively answer “yes” to this question, CISOs can and should determine a quantitative response based on what visibility the security program has and where gaps exist.
Use the calculation described above to identify metrics that demonstrate how much of the environment the security program can see and how much visibility it provides around the top threats. From there, CISOs can determine what the priorities are and present them to the board along with a concrete plan for closing these gaps with new data or security controls.
Analyze ROI on current security tool investments
Before justifying further program investment, the board will want to see what return has been seen on current security tools like a SIEM, EDR or SOARA. Measure ROI by identifying any issues or outages with the tool and how many of the tool’s capabilities are being utilized.
In today’s world many tools have multiple capabilities. As a security executive, you should be able to show a percentage of tool use and the overall efficacy of that tool. By communicating to what extent current security tools are used and how they’re performing, CISOs can identify new ways to improve ROI with updates or enhancements.
Use these metrics to back up future investments
Once a CISO has determined where the biggest risks lie, what visibility the company currently has and how effective current tools are, they’ll be able to determine what changes to program investment are needed and communicate it effectively to the board. The board will want to know whether gaps in protection can be filled by optimizing existing tools or whether new tools are needed (and what that budget looks like).
Map everything back to the bigger picture
Above all, boards need to understand how the security program’s people, processes and technology are actively making the company more protected over time and mapping back to business initiatives.
If a core business goal is digital transformation, show the board how visibility and threat detection enable that by securing the cloud and new SaaS applications. Is e-commerce the most important initiative? Map security practices back to protecting that infrastructure.
Communicating this bigger picture comprehensively and confidently is a CISO’s primary goal when it comes to closing the understanding gap for boards. Doing so requires a combination of metrics across visibility, team performance and tools efficacy mapped back to past quarters or another clear timeframe during which metrics are reported.
To truly deliver security ROI in a language the board will understand, CISOs must home in on specific coverage areas or threats and talk through how current protection meets risk tolerance levels.