Five Ways to Visualize Your Information Security Framework
When we think of information security frameworks, we often think of abstract documents laden with sections, sub-sections, and sub-sub-sections. Organizing frameworks in a way that makes sense to the average business consumer is daunting, but it is incumbent upon the security leader to break it down for the audience. The gap between raw information and the answers that stakeholders need can be much more palatable with visualization techniques. I’m not talking about meditation, although you could try that technique. A technique I have used is an approach of expanding the components of an information security framework and mapping each part to your organization’s overall maturity, comparing frameworks to each other, and aligning capital investments to maturity goals. Below I’ll provide five ways to visualize your information security framework. These are not all encompassing yet offer a good starting point that have proven to be effective in communicating information security framework performance.
Image 1: Classic Bar Chart with Goal Lines
Once you have collected assessment data, often in the form of a maturity score based on regulatory frameworks, you are in tip-top shape to present a high-level comparison to senior leadership, stakeholders, customers, and partners. The chart above compares nine frameworks by maturity. We can quickly find the underperforming framework, ISO 270001, and PCI DSS top performers. Organizations often fall under several regulatory requirements. Products shipped to Europe will fall under the jurisdiction of GDPR, while healthcare departments are subject to HIPAA laws. By comparing frameworks by maturity, the organization can quickly visualize performance across requirements of the business, allowing it to prioritize remediation and investments. For example, card payment systems may carry more weight because card payments might be critical to the success or failure of the organization, while ISO 270001 framework may measure the maturity of non-vital functions. By visualizing various frameworks and the maturity of the organization’s operations, according to the business case or business unit, the CISO is equipped to recommend investments with confidence and with substance.
Image 2: Assessment Performance Overview by Framework
Security leaders can capture a snapshot of maturity by information security framework to better understand the maturity of specific business functions. We can visualize assessment data, such as the NIST CSF example assessment above, to better understand strengths and weaknesses of a specific framework. In the “Recover” category of NIST CSF, we find a control set that falls below a critical threshold and is an ideal candidate for remediation. The security leader cannot fix what she doesn’t know, and understanding essential pinpoints is the first step to fixing. It’s good to know overall performance of a specific framework even if she discovers controls are not a priority for the business outcomes identified.
Image 3: Investment Overview by Business Objective
Business alignment is the lifeblood of any security program. With a firm understanding of how remediation efforts align with business objectives, the CISO will gain credibility as the security function hemorrhages budget dollars. The spider chart above represents the relative investments required to meet established business objectives securely. When collecting maturity data based on an assessment, the security leader should organize and prioritize efforts in a palatable way to business leaders. The Sales VP should see their initiative on the objectives list and understand that the organization can only open that new sales channel securely by bringing data storage practices up to a maturity level that ensures the safety of critical customer information. The CEO should see his vision for the company’s direction reflected in every dollar spent on security. The CTO should understand that while security is a priority for software development, the CISO spends its budget only on those software initiatives that allow the product to go to market in a secure and compliant fashion while meeting time constraints. We can accomplish the business’s goals by mapping controls critical to identified business outcomes, associate remediation investment, and focus on top business objectives first. Armed with a map of the business/security landscape, leaders can pick the low-hanging fruit and satisfy framework requirements with little to no friction from other organizational functions. The team is essentially aligning to the same outcomes and objectives in a logical view of the state of the union.
Image 4: Category Maturity Overview
When business leaders ask information security questions, they are usually asking, in one form or another, asking three things: Where are we today? Where do we need to be? What will it take to get there? In such a case, when you have three minutes with the board and need to give answers without waste, a maturity score for each critical category of a framework will do the job. The interaction between the CISO and the CFO goes like this: Our efforts to proactively protect our systems is our greatest challenge, while the effort to identify and monitor our systems is relatively strong. To continue performance improvement, we must prioritize those systems that support the business as efficiently as possible. Last year’s budget moved the needle, but I think we can do better this year as we have gained a better understanding of our environment. I am confident that if we continue to focus on identifying and detecting vulnerable systems, we can improve the protection of achieving [insert business objectives here] on time.
Image 5: Cross Framework View
Finally, all frameworks are not created equal. Some contain thirty controls and processes; some have five-hundred. But we can agree that when we collect data based on one framework, we should not waste time and effort collecting that data again. To combat the evils of managing data across multiple frameworks multiple times, the CISO can map controls that frameworks have in common and gain insights based on such mapping. The chart above shows us that we can visualize standard rules between NIST CSF and PCI DSS to understand the coverage percentage. The CISO can consider the coverage percentage as the qualified time savings because that is data she does not need to collect again. The security function can translate shared content into all visuals discussed in this blog.
Humans are visual creatures. We rely on our eyes more than any other sense. Let’s start applying all that brain power to good use by visualizing your framework. Visualizing your information security frameworks with the lens of maturity, you are better equipped to tell a story to stakeholders. Better yet, the story you tell will stick in their minds, align to common business goals and create shared stakeholder agreement. Executive peers will consider you a business enabler, not a drag on progress. So let the business know that you are taking their goals into consideration when you decide to conduct that next information security assessment and that you are their champion and enabler to better outcomes.
