The fact that cybersecurity is a board issue is yesterday’s news. You’d be hard pressed today to find a CISO who isn’t spending more time preparing reports for their executive and audit committees. Today’s dilemma is what information to share in order to help inform business decisions.
As CISOs grapple with this problem, they face two challenges. First; how to explain what ‘cyber’ means for business risk. Second; how to show the value their budget is delivering. As Charles Bligh, MD of TalkTalk Business, stated after the company’s data breach, the question security’s audience want answered is: “…can we describe the levels of security and the defenses we have, and what is our risk profile?"
The frustration CISOs have with today’s security reporting is that they’re only armed with siloed, operational metrics - which lack business context. The information they can share is about security activity and security results, rather than business risk and security posture. While a core security activity like patching is vital to ensure good hygiene of an IT estate, the board are unmoved by hearing what percentage of patches have or have not been applied in line with policy.
A CISO at an investment bank explains the problem like this: “Years ago we took data about our vulnerabilities to executives; we showed where doors were open and the response was: ‘Yesterday we made $5 million, and we were vulnerable. Today we made $7 million and we’re vulnerable. Tell me, what’s going to change tomorrow?’ ”
Things have now changed. The board realize that cybersecurity is an important and multidimensional issue that requires them to understand the relationship between threats, vulnerabilities, their controls and the connectedness and dependencies between technical assets and business functions.
Security leaders know they lack the metrics they need to give the board confidence that the business is in strong control of its risk from ‘cyber.’ While there is lots of data available – the puzzle that CISOs are trying to solve is how to bring this information together to show the board they picture they need to see. To do this, many security functions are working to be able to:
- Link technical data to business assets; typically vulnerabilities and control measurements are logged against IT assets. While a Jump Server means something to IT, its business importance is opaque without context about the potential impact to revenue and business services if that server is compromised.
- Escape from the narrative of ‘finding bad’ to ‘finding risk;’ an analogy one CISO uses is that when you invest in a new security solution, it’s like turning on a console and seeing nothing but red lights flashing. What this leads to is ‘alert whack-a-mole,’ where security gets stuck chasing tactical problems that are the downstream effect of missing or underperforming controls. As a result, security ends up constantly managing incidents, rather than consistently managing risk.
- Find ways to show that security ROI is being maximized from investments in technology and people, and that as a consequence, attacker ROI is being minimized (i.e. it is harder for credible threats to achieve compromise of a business asset). The initial dimensions for this typically begin with simple measures of the success of what is already in place. For example, where technology has been purchased to support a policy intent, is it performing and does it have expected coverage? Over time, metrics to demonstrate ROI can extend to comparing control detections to assess the effectiveness of defense in depth – and identifying combinations of control gaps or failures across multiple technical assets that leave an attack path open to threat actors.
These activities all support the goal of implementing controls to protect business assets in a way that is commensurate to the risk of business impact if those assets are compromised. Ultimately the CISO has to be able to measure the company’s exposure to material business impacts and security capability to mitigate this. Then, on a continual basis, the security function needs to be able to justify its priorities based on the gap between security capability and risk exposure.
Doing this requires a fundamentally new approach to risk measurement that persistently combines different data sources to identify, metricize, communicate and mitigate risk.
As one CISO said recently: “Everyone realizes that manual, point in time risk assessments don’t fly any more. We need to measure risk constantly from the telemetry of our operating environment so we can understand our digital landscape, understand control effectiveness across that landscape, and identify threats operating above our control baseline.”