Four steps outlining how security teams can better understand their company’s cyber-risk and demonstrate to company leadership what’s being done to mitigate the resulting business risk.
In my role as CISO of a security company, I travel around the US and abroad quite a bit and have the opportunity to meet with security practitioners from many industry sectors. I also give talks and present to people on the front lines about the importance of treating cybersecurity like any other business operation.
With the number and types of cyberattacks on the rise, and the growing numbers of companies that experience some sort of breach, cyber-risk has become equivalent to business risk. As such, a company’s vulnerability to cyber threats is now a top-of-mind issue for C-level executives, which puts increased pressure on CISOs I talk with to ensure their security controls work as they should. Yet there seems to be a large gap between how companies should address cyber-risk and what they’re actually doing.
How do I know this? Aside from conversations and interactions with security leaders that point to this trend, I also collect security statistics from hundreds of audience members via real-time polling software when I’m making a presentation. My audiences generally include red and blue security teams, auditors, security executives, and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare, and oil and gas, just to name a few — providing an interesting cross-section of perspectives.
Recently, I posed this question: “Does your leadership leverage security metrics for business decisions?” Surprisingly, 49% voted that they “rarely or never” use security metrics for business decisions, while 51% said “half the time,” “usually,” or “always.” While just over half of the respondents said they use security metrics for business decisions at least half the time — which is a positive statistic — just under half said that they rarely or never use security metrics, which shows there is a lot of room for improvement in helping business leaders understand the impact of cyber-risk on the financial, operational, and brand risk — and how it can be measured.
Another polling question — “How good is your organization’s security team at mapping cybersecurity risks to business risks?” — revealed that 77% of respondents felt that their security teams did a poor to fair job of mapping cybersecurity risks to business risks. This number shows that while security is maturing and playing a greater role in critical business functions, as an industry, we’re not far enough along. Most people likely know that it’s a good idea to map cyber-risk to business risk, and want supporting evidence-based data so cybersecurity can be measured like other business units. But there clearly is a disconnect when it comes to how to do this.
While companies are beginning to understand all that’s at stake when a breach occurs — loss of brand trust, compromised customer data, millions of dollars stemming from lawsuits to name a few — there is little understanding of how to measure and understand an organization’s cyber-risk and what actionable steps to take to improve the company’s security posture.
Here are my recommendations for how security teams can better understand their company’s cyber-risk and demonstrate to company leadership what’s being done to mitigate the resulting business risk.
1. Stop assuming and start measuring.
It used to be enough for security teams to think only of performance and speed when evaluating security solutions. But that’s no longer true because there is increasing complexity in the environment to manage while also measuring and reporting on security effectiveness to the rest of the organization (including sales, marketing, human resources, and finance). This reporting must be based on quantitative, data-driven measurements, not assumption-based metrics, to provide the evidence needed that validates that security controls are working as they should.
2. Conduct and automate tests on an ongoing basis.
Given point No. 1 above, evidence is needed on an ongoing basis to demonstrate what is working or not working. Companies tend to look to audits and penetration tests for this, but these approaches are limited — they provide only a one-time snapshot of security controls rather than an end-to-end picture. Testing options exist that will not only identify vulnerabilities but also prescriptively fix them and validate that the fix is successful — and then automate the process for continued validation, particularly as environmental drift occurs, to ensure that what’s working stays working. In other words, fix it the right way, make sure it’s fixed, and keep it fixed.
3. Be sure you’re evaluating and implementing the right security solutions.
When considering any security solution, it’s important to know if you’re evaluating the right products for your environment and to enable the business. Think of it this way: You only create internal processes, build apps, or hire people if doing these things will improve the overall effectiveness of the company. Security has been excluded from this type of evaluation for too long, simply because there haven’t been the right tools to rationalize investments. These tools now exist and give security leaders insights into how security components both enable and improve business.
4. Report actionable information to the executive team.
If you’re a security professional, you likely know that key stakeholders in the company — the audit committee, the C-suite, and the board — want assurance that the security controls that are in place are effectively protecting the company and its digital assets. Look for systems and platforms that provide the kind of evidence-based, practical reporting your executive team requires, and convey with confidence that the security infrastructure is continually monitored and optimized to minimize business risk.
If you’re like the nearly half of respondents who said they “rarely or never” use security metrics for business decisions, or if you’re in the 77% bucket of people who say their security teams do a poor to fair job of mapping cybersecurity risks to business risks, the above steps can help you better manage your organization’s cyber-risk and business risk, and ultimately protect the company and preserve its brand, operations, and financial position.