Talking the Talk: Cybersecurity Metrics for the C-Suite
Getting the right feedback and funding for enterprise cybersecurity means dropping the jargon and connecting cyber risk to business costs.
As “mega-breaches” and cybersecurity risk alerts continue to spring up in daily news reports, enterprise leaders are paying much closer attention to their cybersecurity risk profiles. According to a survey by Protivi and the Enterprise Risk Management Initiative at the North Carolina State University Poole College of Management (Executive Perspectives on Top Risks for 2016), 57 percent of surveyed board members and C-suite executives are concerned that their enterprise may not be sufficiently prepared to manage cyber threats that could significantly disrupt operations or damage the brand. Especially in the wake of C-level executives losing or leaving their positions following a data breach, or being held accountable by regulators, enterprise leaders are looking to become more involved in the conversation on cybersecurity and risk mitigation; however, this means that cybersecurity leaders may need to adjust the tone of the conversation to keep their CEO’s attention.
Historically, most CISOs and cyber-focused security leaders have centered their efforts around communicating the technical aspects of their initiatives to their direct reports. However, now that the C-suite is requesting information on the enterprise’s cyber vulnerabilities, defenses and capabilities, security leaders need to pivot their focus – and metrics – to a business enablement perspective.
According to Joe Carson, CISSP, Head of Global Strategic Alliances at Thycotic, the cost of a data breach is growing, but this also means that the cost of lost data is becoming more calculable. Previously, a CISO may have been hard-pressed to determine the cost-per-record of a data breach or a disruption of service, he says, but now there is clear evidence and precedent of how much a mega-breach costs a business, in reputation, regulatory fines, lost productivity and lost revenue.
Carson adds that the CISO or cybersecurity leader’s responsibility is to help the organization understand the policies in place, the cyber insurance in place, what the insurance covers and what it doesn’t, and what areas need additional investment.
CISOs should endeavor to connect a risk to a direct impact on the business, he says: if a key service or public-facing website crashes for an hour, how much does that cost the business? If key data is deleted or unavailable and the system has to be restored to a backup from a month ago, how much will it cost the business to catch up and restore key information?
“Now that we can know the direct cost, are we willing to pay for security improvements to reduce that risk? We really need to fine the business justification for the cost of improving and doing risk mitigation in cyber, and that’s the biggest challenge,” Carson says.
Getting cybersecurity discussions into the board room and the C-suite takes dedication, business savvy and, often, support from top leadership. According to David Shearer, CEO of cybersecurity education and certification organization (ISC)2: “(Cybersecurity) isn’t really something that works as a grassroots effort. Line employees’ efforts can only go so far; it’s really something that needs to be built into the CEO’s way of thinking. Every corporate officer, starting with the chief executive officer, needs to be a champion for cybersecurity and needs to be savvy enough to at least talk about cybersecurity relative to their area.”
For example, the CFO should be able to explain and understand how core financial systems are protected from a cybersecurity standpoint. The COO should understand how facilities and operations could be impacted by a cyber attack, and what measures are in place to help mitigate that risk.
Shearer adds that cybersecurity leaders need to link cyber investments to business concepts, focusing on the language of risk – a language the C-suite is already very familiar with – and business enablement.
“In many cases, the C-suite or the board can look at cybersecurity as a bottomless pit of investment: ‘When will we know that we’ll never be breached?’ I think the conversation now has gotten more mature: ‘We know we can’t guarantee we can’t be breached,’ but now we’re playing a probability game. We want to drive down our probability (of a breach) as low as we can, and that’s going to take investment. But now we’re starting to have tools that show that return on investment, which takes it from a technical discussion to a business discussion,” Shearer says.
According to Steve Durbin, Managing Director of the Information Security Forum (ISF): “You can’t afford to sit back and wait for (executives) to come to you. Security still doesn’t have that level of perceived importance within the organization – you have to go out and socialize about what you’re wanting to achieve. Listen to what the business units are after and then try to come up with a way that security can support those strategic objectives. That’s how you get mind-share.”
“The thing that the board is concerned about is the impact of (cyber attacks) on brand and reputation. Those two things are very, very difficult to win back, and we operate in an environment where trust is absolutely paramount,” Durbin says. “It isn’t just about some of the fines that might be handed down, for instance, but it’s about the softer issues, which are very much harder to quantify until you see customers voting with their feet.”
In a pinch, CISOs can use the news to put your security initiatives and planning in perspective, he says, but don’t rely on the traditional chorus of fear, uncertainty and doubt to get your projects approved. Instead, embed cybersecurity within different departments’ projects and align future security programs with the business’s objectives. If there are objections, work with the business unit to find alternatives.
“There’s absolutely no point in telling your sales force, who are out on the road all the time, not to use public Wi-Fi. You’re setting yourself up to fail,” Durbin says. “You want to make sure you’re protecting the critical elements of information they may be accessing instead, so look at things like encryption, but don’t be issuing edicts that aren’t going to get anybody anywhere.
“Most security departments understand that we’ve now entered an era where the consumer is king. Most users have a much bigger say in how they go about managing information and managing access than they’ve ever had before. On the one hand, this has complicated things from the security standpoint, but on the other hand, it’s made the job much more interesting, because we need to get into the heads of the end users. We need to understand the way in which some of our systems are being used. Saying ‘no’ isn’t actually going to do much. It’s like standing on the beach and telling the sea not to come in, because users will react and behave in certain ways that stand outside the ways of security.
“Power lies with the business unit that drives the business forward, and it lies with the people who are enabling that progress,” Durbin continues. “For security to be effective, they need to be collaborating much more effectively with those power brokers in the organization. Telling the sales director not to do something when he or she is responsible for driving a whole new line of business is not going to get you very far. Working with that sales director to ensure that you can achieve those business goals as safely and effectively as possible from a security perspective and pointing out the benefits of doing it in one way instead of another is really going to move you forward in leaps and bounds. And that’s really the difference we want to enable.”
In terms of showing the enterprise’s cybersecurity successes and measuring its progress, there is no standard set of key performance indicators (KPIs), says Durbin. Each enterprise must develop its own, depending on what its key data and risks are, and how tolerant the enterprise is of certain risks over others. A critical infrastructure enterprise, for example, may need to focus its efforts around meeting regulatory compliance regardless of the user experience, while a retailer would want to focus on making the customer experience pleasant, seamless and easy, which could potentially sacrifice certain security roadblocks.
According to Shearer, cybersecurity leaders should focus on communicating their department’s resiliency, maturity and the probability of a breach, as these are clear metrics that can help enterprise leaders understand where the enterprise stands in terms of its capability to rebuff, detect, respond to or recover from an attack.
Carson says that enterprises can demonstrate their success with cybersecurity in five ways:
1. Types of threats received
2. Types of threats prevented
3. Monetary losses prevented
4. Successful attacks against the enterprise
5. Steps to prevent the repeat of previously successful attacks
Benchmarking against common guidelines and standards, such as the NIST Cybersecurity Framework or the annual Verizon Data Breach Investigations Reportcan also be useful in determining and demonstrating an enterprise’s cybersecurity maturity level, emerging attack vectors, common best practices and next steps, he says.
As well as demonstrating security inside the enterprise, Carson adds that cybersecurity leaders shouldn’t neglect to consider external breaches’ potential impacts on the business. For example, if a popular social media site is hacked and log-in credentials are released, is it possible that your employees have used identical passwords for their work log-ins?
At Cisco, the Security and Trust Organization develops and presents a set of “Unified Security Metrics” to measure risk and resolution rates for the business. According to Steve Martino, Vice President and CISO for the Cisco Security and Trust Organization, building metrics should start with an understanding of a department or business’s three- to five-year strategic priorities – changes and initiatives planned, and changes to the threat landscape. He looks in particular at program maturity (alignment to industry standards, gap analyses) and how the group is managing and operating the environment, including three factors:
– How many vulnerabilities are in your environment, and are they trending up or down?
– Negotiating service level agreements (SLAs) to address vulnerabilities.
– Measuring the time taken to detect and contain vulnerabilities.
These factors form the Unified Security Metrics that Cisco uses to present progress – and areas needing investment and attention – to different members of leadership. These metrics help Martino to align his conversations with each of three different levels in the business: operations, C-suite and the Board. Having consistent metrics also helps to build a base of trust throughout the different levels of leadership, so that there’s an alignment of understanding from the boardroom to the C-suite to each business unit, and conversations can be easily facilitated between the groups without needing to go back to basics. When organizations lack consistency in their reporting and metrics, cybersecurity leaders start to experience second-guessing and confusion from their leadership, which can slow progress, Martino says.
“It is important to start thinking about your security strategy as an enabler and a risk management process,” Martino says. “It’s not about stopping or blocking or defending, it has to be a risk management – every business, in order to move forward, has to take on certain risks to stay competitive. My job is: how do I enable the business securely?”