Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
04:20 PM
Tara Seals, Managing Editor, News
Tara Seals, Managing Editor, News

CISO Shares Top Strategies to Communicate Security's Value to the Biz

In a keynote address at Black Hat Asia in Singapore this week, CISO and former NASA security engineer George Do discussed his go-to model for measuring security effectiveness - and getting others in the organization to listen.

BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.

During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISO's office. It starts, he said, with quantifying that security effectively.

"All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful?" he asked during the presentation, entitled, "Moving the Security Needle From the Security Trenches to the Boardroom." "You have to be able to answer that" and show why.

Communications Breakdown
Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyone's lives harder. Do referred to it as "ivory tower security," where the security apparatus appears to everyone else to be removed and prone to delivering a litany of "no's."

"Many of our organizations view the security team as a technical obstacle," Do said. "We are CIS-NOs, right? They think we sometimes do things in a vacuum, that we don't understand the impact of the business or at least understand, you know, the pain points the business is having. There's mistrust of the security team."

He added, "The more processes and the more gates that we set up slow down the business and add friction. We often don't weigh that heavily enough in our selection of how we're going to design something."

Another communication pitfall exists between the CISO, the CIO, and CTO. All are often dragged into the boardroom together without being on the same page, which can create the possibility for adversarial or competitive relationships. But it's vitally important for CISOs to recognize the other tech-related leaders as partners and stakeholders, Do said.

"It's not for the CISO to say, 'Hey, CIO and CTO, these are all the bad things that are going on in your organization. You need to go fix it,'" he explained. "The better idea is to partner on a presentation together to present to the board, so whatever problems we call out, there's a plan of attack, and we can communicate on how we're doing against that plan of attack."

Another important strategy is to remind board members that they have skin in the game.

"Board members have what they call fiduciary duty, meaning that if the organization gets hacked or compromised and it's found that the board members were not focusing on that risk area for the organization, they can be held liable," Do said.

Do encouraged audience members to consider the overhead with every security addition or program.

"Each logo you add to your security program will add a bit of technical debt," he explained. "You have to consider the cost to set up new processes, the man-hours, the impact on the business, [and] the cost of the product itself."

5 Key Tips for Communicating Security Effectiveness
Do also laid out a five-pronged blueprint for communicating the importance of security programs to the entire business, and how to quantify ROI.

1. Know your audience: When trying to communicate security results, it's important to use language that board members and business leaders can understand, Do pointed out. That includes using simple rules of thumb, such as avoiding jargon and acronyms.

It's also critical to understand that different stakeholders have different lenses. Security engineers may look at the number of attacks that were blocked by the firewall as a measure of success, while infosec managers and directors would rather know about the successful attacks and whether the systems were able to detect and respond to those attacks. Meantime, CISOs would be interested in finding out what could be done to prevent further breaches, while the CEO and board might be more interested in whether the organization lost money, suffered downtime, or ended up with legal liability or brand and reputation damage.

"These are all very different questions, all equally important," Do said.

2. Don't start with metrics: It may seem counterintuitive, Do said, but it's important to start with the business objectives when framing security effectiveness.

"You may be a hospital, a government agency, a commercial company; whatever you are, you have business objectives, so start with that," Do advised. "This is how we generate revenue. This is what we're providing to the industry. What are the cyber-risks to that business, given whether or not you're in the cloud, your user base, your customer base? Understanding this will inform you what the metrics should be."

3. Be quantitative: Once the metrics are defined, an organization's security road map should be aligned. That means investment in all of the projects, the products, the labor, the processes, and so on must be in service to meeting those metrics.

"The metrics should be public information, so every single team in the company knows what your goals are and that it's been signed off on. This isn't something security is cooking in the kitchen in a silo," Do noted.

It's important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: "You have to be able to measure it and repeat it."

4. Remember that security is a team effort: Do pointed out that all too often, security teams take an us-against-the-world attitude – but in reality everyone has ownership in security processes and should be communicated as such, with clear responsibilities and roles for security in every department.

"Even areas like the procurement team may need to own some part of security processes, for instance," Do said. "Literally it takes a village to secure an organization, not just a security team. And in recognizing that, you can avoid the confusion over who's responsible, who's accountable, who's consulted, and who's informed. It's critically important because it sets the expectations upfront with your stakeholders on who owns what."

5. Pair empowerment with accountability: Once security roles have been determined and it's clear who's accountable for what, it's important to also empower those individuals.

"Empowered means, do I have the authority to achieve my objective of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to achieve what I'm accountable for?" Do explained.

To wrap up, Do cautioned security teams to realize that implementing these best practices will be a journey with many obstacles, but that it’s important to persevere.

"Always without exception all of us are dealing with some level of challenges in this paradigm, meaning the measuring of security, and how do we communicate to our board our leadership, our owners, our shareholders, that we're moving the needle with security?" he said.

Do added, "Some organizations can turn on a dime; they can go to this model quickly," he said. "Others will take a year or more because of bureaucracy, politics, processes, whatever. But I would say don't let that detract you from pushing toward this model."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file