BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.
During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISO's office. It starts, he said, with quantifying that security effectively.
"All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful?" he asked during the presentation, entitled, "Moving the Security Needle From the Security Trenches to the Boardroom." "You have to be able to answer that" and show why.
Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyone's lives harder. Do referred to it as "ivory tower security," where the security apparatus appears to everyone else to be removed and prone to delivering a litany of "no's."
"Many of our organizations view the security team as a technical obstacle," Do said. "We are CIS-NOs, right? They think we sometimes do things in a vacuum, that we don't understand the impact of the business or at least understand, you know, the pain points the business is having. There's mistrust of the security team."
He added, "The more processes and the more gates that we set up slow down the business and add friction. We often don't weigh that heavily enough in our selection of how we're going to design something."
Another communication pitfall exists between the CISO, the CIO, and CTO. All are often dragged into the boardroom together without being on the same page, which can create the possibility for adversarial or competitive relationships. But it's vitally important for CISOs to recognize the other tech-related leaders as partners and stakeholders, Do said.
"It's not for the CISO to say, 'Hey, CIO and CTO, these are all the bad things that are going on in your organization. You need to go fix it,'" he explained. "The better idea is to partner on a presentation together to present to the board, so whatever problems we call out, there's a plan of attack, and we can communicate on how we're doing against that plan of attack."
Another important strategy is to remind board members that they have skin in the game.
"Board members have what they call fiduciary duty, meaning that if the organization gets hacked or compromised and it's found that the board members were not focusing on that risk area for the organization, they can be held liable," Do said.
Do encouraged audience members to consider the overhead with every security addition or program.
"Each logo you add to your security program will add a bit of technical debt," he explained. "You have to consider the cost to set up new processes, the man-hours, the impact on the business, [and] the cost of the product itself."
5 Key Tips for Communicating Security Effectiveness
Do also laid out a five-pronged blueprint for communicating the importance of security programs to the entire business, and how to quantify ROI.
1. Know your audience: When trying to communicate security results, it's important to use language that board members and business leaders can understand, Do pointed out. That includes using simple rules of thumb, such as avoiding jargon and acronyms.
It's also critical to understand that different stakeholders have different lenses. Security engineers may look at the number of attacks that were blocked by the firewall as a measure of success, while infosec managers and directors would rather know about the successful attacks and whether the systems were able to detect and respond to those attacks. Meantime, CISOs would be interested in finding out what could be done to prevent further breaches, while the CEO and board might be more interested in whether the organization lost money, suffered downtime, or ended up with legal liability or brand and reputation damage.
"These are all very different questions, all equally important," Do said.
2. Don't start with metrics: It may seem counterintuitive, Do said, but it's important to start with the business objectives when framing security effectiveness.
"You may be a hospital, a government agency, a commercial company; whatever you are, you have business objectives, so start with that," Do advised. "This is how we generate revenue. This is what we're providing to the industry. What are the cyber-risks to that business, given whether or not you're in the cloud, your user base, your customer base? Understanding this will inform you what the metrics should be."
3. Be quantitative: Once the metrics are defined, an organization's security road map should be aligned. That means investment in all of the projects, the products, the labor, the processes, and so on must be in service to meeting those metrics.
"The metrics should be public information, so every single team in the company knows what your goals are and that it's been signed off on. This isn't something security is cooking in the kitchen in a silo," Do noted.
It's important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: "You have to be able to measure it and repeat it."
4. Remember that security is a team effort: Do pointed out that all too often, security teams take an us-against-the-world attitude – but in reality everyone has ownership in security processes and should be communicated as such, with clear responsibilities and roles for security in every department.
"Even areas like the procurement team may need to own some part of security processes, for instance," Do said. "Literally it takes a village to secure an organization, not just a security team. And in recognizing that, you can avoid the confusion over who's responsible, who's accountable, who's consulted, and who's informed. It's critically important because it sets the expectations upfront with your stakeholders on who owns what."
5. Pair empowerment with accountability: Once security roles have been determined and it's clear who's accountable for what, it's important to also empower those individuals.
"Empowered means, do I have the authority to achieve my objective of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to achieve what I'm accountable for?" Do explained.
To wrap up, Do cautioned security teams to realize that implementing these best practices will be a journey with many obstacles, but that it’s important to persevere.
"Always without exception all of us are dealing with some level of challenges in this paradigm, meaning the measuring of security, and how do we communicate to our board our leadership, our owners, our shareholders, that we're moving the needle with security?" he said.
Do added, "Some organizations can turn on a dime; they can go to this model quickly," he said. "Others will take a year or more because of bureaucracy, politics, processes, whatever. But I would say don't let that detract you from pushing toward this model."