How to Measure Cybersecurity — A CISO’s Story

This post was contributed by Josh Bruyning, Cybersecurity Solutions Engineer at TrustMAPP

You’re a new security leader, congrats! You have six weeks to present a roadmap to the board of directors. When you walk into a boardroom, the only thing your peers and stakeholders want to know about what you submit is how much it will cost, second to whether it will increase revenue. As a security leader, your job at that moment is to roll up your controls into a neat roadmap with associated dollar amounts in terms of one-time capital costs, ongoing costs, and labor cost in terms of hours or dollar amounts. Did I mention that you have one week to prepare? Go!

As much as this scenario seems farfetched, I know a CISO who was in that very situation and faced the pressure of his new responsibilities. He did not panic. He did not furiously assess the security posture of his organization in an inept attempt to appraise his army of controls by hand. He automated the process.

In the world of technology, there is a tool for everything, and automating costs is no different. The CISO found the right solution with a combination of recommendations and expenses tied to every vulnerability. In a simple set of steps, he assessed his environment, checking the maturity of every control. For example, “How effective is your implementation of MFA?” He answered, “computer, on a scale of zero to five, I would give it a three. My MFA is implemented but not fully optimized for remote endpoints.” Of course, he did not speak to the computer, but the software captured that idea with one click. The system automatically said, “At a maturity level of three, you have some work to do. For a company with one thousand employees, the one-time capital cost will be $X, the operational cost will be $Y, and you will need to dedicate Z hours.”

The system was smart enough not to give labor costs in dollars because although this super software is incredible, it could not possibly know what our CISO paid his staff.

The CISO clicked away, and in forty-five minutes, he knew the maturity posture of his new organization and the magnitude of effort he needed to communicate to his peers and the board of directors. The day came, and, in a concise delivery, he reported that although they were at the beginning of their journey, it was feasible to achieve their goals. He outlined each goal area and its associated cost. All present parties accepted the analysis of the CISO and appreciated the brevity of his presentation.

You might say there is no such miracle software, but there is. TrustMAPP allows security leaders to assess the security posture of their organizations and produce recommendations to get from one level of maturity to another. Before TrustMAPP, Secure Digital Solutions was a consulting firm established by Chad Boeckmann, now CEO of TrustMAPP. Chad created a cost engine with the help of world-class CISOs (I will not mention them, but you’d know their names). With

Allan Alford as CISO of TrustMAPP and his team of security and industry experts, that engine grows every day.

Small, medium and large organizations enjoy costs and recommendations tailored to them. Although estimates by some of the most experienced CISOs in the industry today, these associated costs are still estimates. If there is an error, they err on the upper limits of cost estimates, so security leaders are not running back to the board for a bigger budget. Better to have too much than too little. With costs at the ready, roadmap in hand, and executive approval, imagine how much you can get done in a relatively short amount of time. Moreover, a hidden cost, rather a hidden cost-saving, lurks in the backdrop. The CISO accomplished, if done correctly, six to ten weeks of work in one week. How much is that worth?