This post was contributed by Michael Cote, Senior Solutions Engineer at TrustMAPP.
We’ve all seen them; trade articles and blog posts discuss the value of an organization’s cybersecurity program, questioning the need for cybersecurity assessments and a viable performance management process.
Typical comments are focused on the return of the investment to the company, the ROI. Troubling for most CISO’s is obtaining the Board of Directors’ buy-in for a robust and dependable security program and toolset, and there are costs to these. Hence, the focus is on ROI.
So, why is this difficult to obtain? It’s not because cynical people comprise most boards wanting to find a reason to say “no.”
It’s because their decisions as business leaders are to provide products and services that generate profits for investors and continued paychecks for employees, to keep open their doors to business and, consequently, grow that business. How can a CISO clearly explain the need to balance the price for an asset with the return on the value of that asset when it comes to cybersecurity, mainly seen as a cost center? How do they position the need for cybersecurity and show its value to the board?
CISO’s need to ask for funding to pay for a successful security program that, in turn, protects the company from a host of risks, not the least of which is loss of branding, customer trust, and loss of business valuation or assets, financial or otherwise. How will a CISO ask for cyber security funding without promoting a fearful position for the need for such security?
First, they must avoid positioning cybersecurity as a money pit. Emphasize the benefits, not the costs. Developing a mature and successful security posture is expensive, and we see that in the product offerings for the tools required to implement a successful security program.
Second, establish a position of protection of assets as a means of not losing money, which in turn allows the company to continue to make money as they go about their profitable day-to-day processes. When presenting to the board your wish list, it can only help by providing a clear, concise representation of how you, as the CISO, will do just that.
Recognize, understand, and know your audience, consider their background and experience, and present to them in predominantly their language. Whatever visual aids you choose to use should provide clear information with the least amount of excess information during your presentation. Keep techno-speak to a minimum. Stakeholders want to know about the numbers and how the company will be financially affected by your requested purchases. Identify and specify what products, services, and tools you are requesting. Base your lists of items on the current security state of the company, but always be forward-thinking and pay attention to technologies nearing legacy status while next-gen versions, which will be more expensive, are either available or soon to be available. From there, the cyber security team can go over the assessment results and begin to explore the multitude of shiny objects and options while avoiding shiny object syndrome.
Now that there is a list, how does one define what is vital regarding an organization’s cybersecurity program? Determine program goals first by utilizing a cyber security assessment to help uncover existing vulnerabilities within the organization. The assessment results will help position the CISO to better target the tools that fit the organization’s cyber security needs. Avoid check-the-box assessments that provide minimal information or definitions for that portion of the assessment. Develop a clear understanding of the assessment question, supported by additional text, so the reader has no doubts about their answers being relevant to the question. The last thing you want is your audience to feel like they’re driving through an unfamiliar town that has confusing, or no, traffic signs. Be sure to address risk assessment specifically. Risk is a hot-button topic that, when explained clearly regarding the organization, can help calm nerves and help tip the odds in favor of the CISO.
One of the most effective methods of gaining board acceptance is for the CISO to run the cyber security program with a business mindset. That mindset creates an attitudinal and communication link from the CISO to the board. The CISO effectively straddles the gap between the cyber security technical expert and the business, enabling them to communicate with the board in the board’s language.
Enter Cybersecurity Performance Management Maturity Mapping. Although this is not a new concept, it is one that the industry slightly misunderstands. Some can view the purpose behind the process as more a technical structure aimed at uncovering technical information. This approach will limit the capabilities of the tool. More importantly, it will limit the effectiveness of how the CISO presents information to senior leadership. The more accurate approach is to see this process with CISOs using it to run the cyber security program like a business. As such, the CISO will utilize the full capabilities of the tool and process and best position herself to speak about the current security state of the organization relative to achievable goals.
An effective cybersecurity performance management maturity mapping tool arms the CISO with accurate assessments, remediation prioritization mapping risk to business objectives, and highly effective reports designed specifically for board presentations. Imagine the impression one could make when the board sees reports, dashboards, and analytics that clearly show dynamic data visualization presented in business-speak format. Mapping the organization’s current security state to established, highly respected standards will provide convincing support to the CISO and improve the chance for board acceptance.
You can expect the board to ask about the cost of managing the cybersecurity performance management process. The CISO’s response? Automation. Present to the board how an automated management process will allow the CISO to obtain and present the most up-to-date information at a fraction of the cost of a manual system. Explain savings generated by fewer individuals involved in the process as both a money saver, in that money is not being spent on employee engagement in the process, and a moneymaker, in that those employees are providing benefits by doing other revenue-generating work.
In the last few years, a slew of highly publicized phishing and ransomware attacks have hobbled several companies and localities. Media reports of ransomware and phishing attacks have altered perceptions of risk to many organizations. Once it was acceptable to some to have “just enough” security, more and more companies are turning their attention to enhanced security protocols. Each successful attack brings increased attention to cybersecurity as the threat actors strike fear into the hearts of many a CISO and many a CEO. Those entities can only provide the confidence each entity had in their cybersecurity posture. The palpable shock felt within must have been a significant reality check.
Industries feel the ripple effect of these attacks with increasing intensity and frequency. That has not been lost on many a CISO or board member. CISO’s have said the phrase, “It’s not a matter of “if,” but “when,” in recent years, more than ever before. Companies are shoring up their cyber security posture and strengthening their defenses. In a strange twist of fate, the recent attacks have only emboldened companies to defend themselves better. It’s turned the focus of cybersecurity from a non-business to a business asset. The business goal is now changing why CISOs and boards see cybersecurity in a different light. The very nature of the spotlight on what can happen when you minimize or underfund your cybersecurity program illuminated the destruction such a position can have on a business. That is the clarion call heard by many a CISO and board member.
No longer can an effective cybersecurity program be an option. We now see cybersecurity as a requirement. And that includes an in-depth cybersecurity assessment and a robust performance management
implementation. Thankfully, more and more CISOs and board members align more closely in thinking along business lines than ever before. The “us” vs. “them” is getting tossed to the wayside in favor of an “all in” approach. Not to say that it will be easy or a given. If a price tag is involved, there will always be some give and take, and the ROI will always be a mitigating factor in business decisions. But attitudes towards these tools and processes are changing, and that’s for the betterment of our industry. We can only hope to see fewer and fewer articles debating the value of a robust cybersecurity program. Now that we have heard the call, perhaps more cybersecurity professionals will strive to make their case to utilize an effective cybersecurity assessment supporting a performance management process.