This post was contributed by Josh Bruyning, Cybersecurity Solutions Engineer at TrustMAPP.
CISO Transition Lab 2015 Press Release: Delloite Development, LLC
To become Trusted advisors, Cybersecurity Leaders should focus on Maturity to consistently communicate value to stakeholders. 35% of Cybersecurity Leaders said they would like to be advisers, operating at a higher capacity and delivering more value to the business. Only 12% of Cybersecurity Leaders have achieved the desired “advisor” state, overshadowed by the state of “guardian” today. Beyond the challenges of operations, leaders must communicate the benefits of good decision-making, thus empowering them to reinforce their strengths and consistently shore up their weaknesses. It is not for lack of trying. Finding a way to measure and communicate powerful messages to stakeholders continuously is genuinely tricky. Tools like spreadsheets, compliance checklists, and a finger-in-the-wind have not served to reduce complexity and add to the business’s long-term risk. Cybersecurity Leaders must lean into their role as advisors using Maturity as an accurate measurement of their present state while using the language of Maturity to communicate the value of acting. Maturity allows leaders to put security into a business context that is holistic and precise to deliver performance, ROI, visibility into cybersecurity activities, and accountability for cybersecurity effectiveness. Let’s look at four value propositions that Trusted Advisors communicate to leaders and stakeholders using the Maturity Score as a basic unit of measurement.
- Cybersecurity Performance
Cybersecurity Performance Management Benchmarks
Cybersecurity leaders seek meaningful ways to measure the performance of their efforts. You want to brag about the gaps closed, the pain points remediated, but you’re not sure where you stand today. Using a Maturity score to communicate current posture goes beyond checking a box to measure the effectiveness of controls. Prudent Cybersecurity Leaders seek to paint a realistic picture of leadership instead of giving the impression that control implementation alone communicates the entire story. But time and again, Cybersecurity leaders force themselves to explain the nuances of controls to justify their efforts, leaving stakeholders fatigued and distracted by repeated budget requests for the same tasks. Does the following conversation seem familiar to you?
CISO: We need more $$ to implement MFA across the organization
CIO: We approved the budget for that last year, what happened?
CISO: Last year’s budget covered the acquisition of the solution to implement MFA, and we rolled it out to administrators but lacked the resources to fully integrate MFA with SSO and SAML.
If you found the above conversation painfully familiar, imagine the same conversation after implementing a Maturity-based approach to Cybersecurity Performance Management.
Cybersecurity Leader: Our company’s overall Maturity Score currently sits at 3.59 compared to last year’s score of 2.30. This means that given our budget, we managed to objectively improve most vulnerable areas, and we’re on track to achieve a maturity score of 4.0 by the end of the year.
Stakeholder: Why are we not at a Maturity score of 5.0?
Cybersecurity Leader: That’s a great question. While 5.0 is an achievable goal, there are pain points that take more time and resources to address. For example, MFA sits at a Maturity score of 3.0, well below the overall company trend.
Stakeholder: I thought we authorized the budget for that last year, why was it not done?
Cybersecurity Leader: When we started this project two years ago, MFA sat at a score of 0.5, almost non-existent. A score of 3.0 means that while tools are implemented, we must automate and optimize. As planned, last year’s budget took us from the initial non-existent state to an implemented state. We are still on track to achieve full maturity given trends and forecasts.
The second conversation uses Maturity to manage the expectations of the CIO, delivering a precise yet nuanced view of the CISO’s security program. Instead of creating a perception that budget requests will result in “all-or-nothing” implementation, the CISO provides a scale from non-existent to full implementation to describe her program. Each step in the maturity scale is associated with its budget and resources, thus freeing the CISO to communicate her team’s accomplishments and roadmap confidently.
- Communicating ROI
Business Alignment Forecast
In this image, each “spider leg” represents the financial investment that aligns each business objective with Cybersecurity Maturity. Every business objective serves the bottom line, and Cybersecurity serves to protect assets and enables the delivery of business value. To satisfy the demands of corporate executives and boards, Maturity helps Trusted Advisors communicate the return on investment of their cybersecurity program. The Trusted Advisor uses Maturity scales with associated expenses to describe how resources support and promote the business. When the company sees how Cybersecurity helps revenue drivers, the Trusted Advisor gains credibility and resources.
You can implement all the detective controls you want, but if the company cannot securely roll out an expansion to its salesforce, what good is Cybersecurity? What good is a company that goes out of business because its critical operations were not secure and mature? Maturity allows Cybersecurity Leaders to map pain points to business objectives, bringing robust resource planning and comparative analysis to bear. After all, the CISO is a business role and should contribute to business decisions. Open the conversation with your CEO by weighing the costs and benefits of moving in competitively advantageous directions instead of discussing the lack of resiliency. If your business is resilient in areas that impact the bottom line, you will be a trusted business advisor, full stop.
- Program Visibility To Stakeholders
Cybersecurity Program Benchmarks
Many cybersecurity leaders struggle to find the right metrics. Under a compliance model, all the above groups might have survived a compliance audit, but would you hang your hat on the numbers for Marketing, knowing that the lack of Maturity might result in a data breach during a long email campaign? Visibility does not mean “on” or “off.” You wouldn’t call that visibility if you could only see fuzzy images in black or white. Stop blaming stakeholders when you talk to them in fuzzy pictures of black and white (the language of compliance audits). In addition to communicating the nuances of individual areas, it is essential to communicate relative performance to stakeholders with context and precision. What does it mean that “Headquarters IT” – found in the above image – exceeds the company threshold for Maturity, but “Headquarters IT” is well below? Drill into the metrics of the bottom and top performing areas to gain insights to have a conversation with stakeholders that can go like this:
CIO: Why is IT doing so much better than Marketing, and does it matter??
CISO: If we examine the maturity scores of target areas for each department, we’ll see that we overallocated resources to IT. There were immature areas of low priority in IT, and we neglected immature areas of high priority in Marketing.
CIO: How do we fix this? How does this affect our upcoming marketing campaigns?
CISO: Although the overall score sits below acceptable levels, you can see that security for email campaigns is low. If we focus on key areas that support marketing objectives, we can significantly close the gaps in our greatest pain points. Although the overall score will still be below the desired maturity threshold, we can confidently support revenue-driving activities. Achieving the desired maturity level in six months would take an initial investment of $25,000 and 200 labor hours. It would take 10 labor hours per month to maintain the desired maturity level.
CIO: I don’t love that we didn’t do what needed to be done last year, but I understand where we were, where we are, and where we will be six months from now.
Visibility builds the number one tool in the advisor’s toolbox, trust. To become an advisor, your conversations of visibility should inform, not obscure. Graphs and numbers are great, but they have to say something meaningful even when the news is not good. When things go wrong and when they go right, it is trust that strengthens partnerships. It doesn’t matter how many controls you’ve implemented; one case of “I didn’t know” or “sorry you didn’t understand” is guaranteed to ruin your reputation and make your organization less secure.
- Accountability to the Board
Communicating Maturity to board members
Corporate executives and board members remain uncertain about evaluating the cybersecurity function’s business value and effectiveness. The NIST Cybersecurity Framework metrics in the above image come from the real world. A company measured its security posture at the end of 2020 and again at the end of 2021. The story they told the Board of Directors went something like this:
In 2020, we faced the challenge of opening two new branches and expanding to neighboring municipalities. We measured our cybersecurity posture at that time and quickly identified key pain points of low and, in some cases, non-existent maturity. Those areas would limit growth and, if overlooked, could have led to a significant breach if we moved forward with our expansion. Today, we have achieved the desired level of maturity in the areas that matter. We want to reach full maturity by the end of 2022, continuing to prioritize those areas that support growth.
The presenting CISO kept the entire presentation under twenty minutes. Before presenting, she emailed stakeholders to provide them with a short introduction to the language of maturity. The stakeholders understood, and she gained credibility for understanding them. Accountability is not just about doing what you think is suitable for cybersecurity (shocking, I know) but about justifying your role in the business. If you cannot demonstrate how your department contributes to the bottom line, you cannot justify your existence. Great companies put value at the center of their activities and are accountable to the people they serve.
A security leader who cannot demonstrate value to a company undermines the very reason for the company’s existence. You are responsible for assuring stakeholders that your decisions were correct and of high significance and quality, and you need the right tools for that. Maturity is more than a methodology. Some might even call it a way of life. I call it a sure way for cybersecurity to create and communicate value. If you are a Cybersecurity Leader who wishes to move into the “Advisor” role, consider the Maturity model of communicating value to your business’s stakeholders.
Interested in learning more? Sign up for our upcoming webinar, “Communicating the Business Value of Your Information Security Program” with Global Fortune 100 CSO, Rich Mason and TrustMAPP’s VP of Customer Success, Adam Stone, HERE.