Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/13/2022
04:20 PM
Tara Seals, Managing Editor, News
Tara Seals, Managing Editor, News
News

CISO Shares Top Strategies to Communicate Security's Value to the Biz

In a keynote address at Black Hat Asia in Singapore this week, CISO and former NASA security engineer George Do discussed his go-to model for measuring security effectiveness - and getting others in the organization to listen.

BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.

During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISO's office. It starts, he said, with quantifying that security effectively.

"All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful?" he asked during the presentation, entitled, "Moving the Security Needle From the Security Trenches to the Boardroom." "You have to be able to answer that" and show why.

Communications Breakdown
Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyone's lives harder. Do referred to it as "ivory tower security," where the security apparatus appears to everyone else to be removed and prone to delivering a litany of "no's."

"Many of our organizations view the security team as a technical obstacle," Do said. "We are CIS-NOs, right? They think we sometimes do things in a vacuum, that we don't understand the impact of the business or at least understand, you know, the pain points the business is having. There's mistrust of the security team."

He added, "The more processes and the more gates that we set up slow down the business and add friction. We often don't weigh that heavily enough in our selection of how we're going to design something."

Another communication pitfall exists between the CISO, the CIO, and CTO. All are often dragged into the boardroom together without being on the same page, which can create the possibility for adversarial or competitive relationships. But it's vitally important for CISOs to recognize the other tech-related leaders as partners and stakeholders, Do said.

"It's not for the CISO to say, 'Hey, CIO and CTO, these are all the bad things that are going on in your organization. You need to go fix it,'" he explained. "The better idea is to partner on a presentation together to present to the board, so whatever problems we call out, there's a plan of attack, and we can communicate on how we're doing against that plan of attack."

Another important strategy is to remind board members that they have skin in the game.

"Board members have what they call fiduciary duty, meaning that if the organization gets hacked or compromised and it's found that the board members were not focusing on that risk area for the organization, they can be held liable," Do said.

Do encouraged audience members to consider the overhead with every security addition or program.

"Each logo you add to your security program will add a bit of technical debt," he explained. "You have to consider the cost to set up new processes, the man-hours, the impact on the business, [and] the cost of the product itself."

5 Key Tips for Communicating Security Effectiveness
Do also laid out a five-pronged blueprint for communicating the importance of security programs to the entire business, and how to quantify ROI.

1. Know your audience: When trying to communicate security results, it's important to use language that board members and business leaders can understand, Do pointed out. That includes using simple rules of thumb, such as avoiding jargon and acronyms.

It's also critical to understand that different stakeholders have different lenses. Security engineers may look at the number of attacks that were blocked by the firewall as a measure of success, while infosec managers and directors would rather know about the successful attacks and whether the systems were able to detect and respond to those attacks. Meantime, CISOs would be interested in finding out what could be done to prevent further breaches, while the CEO and board might be more interested in whether the organization lost money, suffered downtime, or ended up with legal liability or brand and reputation damage.

"These are all very different questions, all equally important," Do said.

2. Don't start with metrics: It may seem counterintuitive, Do said, but it's important to start with the business objectives when framing security effectiveness.

"You may be a hospital, a government agency, a commercial company; whatever you are, you have business objectives, so start with that," Do advised. "This is how we generate revenue. This is what we're providing to the industry. What are the cyber-risks to that business, given whether or not you're in the cloud, your user base, your customer base? Understanding this will inform you what the metrics should be."

3. Be quantitative: Once the metrics are defined, an organization's security road map should be aligned. That means investment in all of the projects, the products, the labor, the processes, and so on must be in service to meeting those metrics.

"The metrics should be public information, so every single team in the company knows what your goals are and that it's been signed off on. This isn't something security is cooking in the kitchen in a silo," Do noted.

It's important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: "You have to be able to measure it and repeat it."

4. Remember that security is a team effort: Do pointed out that all too often, security teams take an us-against-the-world attitude – but in reality everyone has ownership in security processes and should be communicated as such, with clear responsibilities and roles for security in every department.

"Even areas like the procurement team may need to own some part of security processes, for instance," Do said. "Literally it takes a village to secure an organization, not just a security team. And in recognizing that, you can avoid the confusion over who's responsible, who's accountable, who's consulted, and who's informed. It's critically important because it sets the expectations upfront with your stakeholders on who owns what."

5. Pair empowerment with accountability: Once security roles have been determined and it's clear who's accountable for what, it's important to also empower those individuals.

"Empowered means, do I have the authority to achieve my objective of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to achieve what I'm accountable for?" Do explained.

To wrap up, Do cautioned security teams to realize that implementing these best practices will be a journey with many obstacles, but that it’s important to persevere.

"Always without exception all of us are dealing with some level of challenges in this paradigm, meaning the measuring of security, and how do we communicate to our board our leadership, our owners, our shareholders, that we're moving the needle with security?" he said.

Do added, "Some organizations can turn on a dime; they can go to this model quickly," he said. "Others will take a year or more because of bureaucracy, politics, processes, whatever. But I would say don't let that detract you from pushing toward this model."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31108
PUBLISHED: 2022-06-28
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generat...
CVE-2022-31229
PUBLISHED: 2022-06-28
Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information. An administrator could potentially exploit this vulnerability, leading to disclosure of sensitive information. This sensitive information can be used to access sensitive resources.
CVE-2022-31230
PUBLISHED: 2022-06-28
Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain broken or risky cryptographic algorithm. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access.
CVE-2022-2145
PUBLISHED: 2022-06-28
Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.
CVE-2022-28621
PUBLISHED: 2022-06-28
A remote disclosure of sensitive information vulnerability was discovered in HPE NonStop DSM/SCM version: T6031H03^ADP. HPE has provided a software update to resolve this vulnerability in HPE NonStop DSM/SCM.