The Shifting Debate Around Security Metrics
By JC Gaillard
Driving security transformation is becoming key; not justifying investments
The age-long debate around security metrics and dashboards seems very much alive within the CISO community. But it is often positioned in an outdated historical perspective.
For many CISOs, it seems to be still about “justifying investments” or articulating some form of “return on security investment”.
For CIOs and many other C-level executives, those ships sailed long ago. The large-scale cyber attacks and data breaches of the past decade, coupled with the change in privacy regulation they triggered, have put cyber risk on the Board’s agenda and the “When, Not If” paradigm resonates with many board members.
On security matters, “Tell me how much we need to spend” or “Are we spending enough” have become more common questions around the boardroom than “Why do you want to spend so much” …
So why are we still hearing some form of disconnect between the CISO and their bosses on the topic?
Trust is at the heart of the problem here, and the nature of the relationship between the CISO and their boss.
Many CIOs don’t have any problem justifying security investments in the face of non-stop cyberattacks. But they know as well that it is getting things done that will protect the firm, not just committing budgetary resources, so the CIO asking the CISO “show me what return we will get for such investment” is sometimes a way of saying something else:
- I don’t understand why you want to do this
- I am not sure this is the right thing to do
- I don’t think you will deliver it on any meaningful scale
It is often a challenge that is born out of some form of distrust. In our experience, where there is complete and total commonality of views between the CISO and their boss around what needs to be done on security, and full trust around the execution of a common security roadmap, those issues don’t arise and the question of “return on security investments” is never asked.
The debate around security metrics – like the whole approach to building and managing a successful security practice – needs to shift from a short-termist project-driven approach, to a long-termist roadmap-driven one.
In such context, you mainly need metrics upstream, to build and sell the long-term security roadmap: Those have to be rooted in the reality of the challenges the firm is facing and backed against a sound appreciation of the threats it faces.
Security measures – and the associated investments they require – will protect the firm from real and active threats. Their implementation will modify the cyber risk, or cyber maturity, or cyber compliance posture of the organization (depending on what the main drivers are at the executive level). That’s what the associated metrics need to capture and show.
They can be assessment-based metrics but need to be linkable to actual actions, and the methodology must reflect where necessary – in particular in relation to third-parties – the lack of availability or reliability of assessment data.
Visualization is also a key factor: …read more
Read more here:: B2CMarketingInsider