It's no secret that there is a tenuous relationship between most chief information security officers (CISOs) and their executive suite and board. The CISO is caught between a rock (cause) and a hard place (effect).
CISO-led enterprise security programs are intended to protect against security breaches. Executives have a duty to protect a business from unacceptable impacts, but they are rarely (if ever) presented with quantifiable and data-driven security strategies and action plans that link control of specific security breach outcomes — and associated impacts — with specific budgets.
This exposes executives to external challengers — including investors, insurers, opposing legal counsel, regulators, and customers — regarding enterprise cyber-risk exposure. But these are not the only challengers. Internally, CISOs compete for limited funds against the rest of the business in an opportunity-cost war, and they are in battle with functions that deliver a much more obvious return on investment.
Setting Cyber-Risk Expectations
To better handle these challenges, a security plan should set an expectation of the level of cyber-risk outcomes per given budget. This would not only set expectations for a given spend, but should a business cut or increase budget, the CISO can demonstrate the resulting change in cyber-risk exposure.
The purpose of a security program is to have a degree of confidence in protection against security breaches. It is less that the executives believe that the business should be protected from breaches by advanced threats (like nation states); rather, they do not have credible information to know if less sophisticated threats, which are vastly more numerous, can breach and cause unacceptable impact. A security program should be able to assure a level of cyber-risk exposure.
Justifying the Economics of Risk Reduction
In general, operational leaders (like the heads of marketing, sales, IT, etc.) are expected to justify the opportunity to develop an enterprise-wide capability. They are good if they can demonstrate return, but they are great if they show a strong return. These are basic business economics that no business leadership can, or should, escape.
CISOs have effectively self-isolated themselves from the business in terms of strategic principles that do not align well with executive doctrine. Historically, security strategies have been primarily driven via vulnerability chasers, threat detectors, framework followers, and, more recently, risk calculators. These have been largely myopic or far too abstract to connect to executives.
Taking a Security-Economic Approach
Can CISOs move into the (for lack of a better term) security-economic era? Everything in business is on a slider. A cost vs. reward slider. Executive satisfaction typically increases if you demonstrate a better return for an investment. Positive outcomes are often determined by how well expectations are set from the start. How can CISOs get executives to be satisfied with their work if they don't set an expectation of a result? Most CISOs are still overly fixated on what they do (or want to do), rather than what breach impact result they can control with an amount of budget.
If CISOs want to better set expectations with executives, they need to take a security-economic approach that answers these questions:
- What are we focusing protection on — and is this justified?
- What levels and types of protection can we provide and at what costs?
- Do we have realistic plans to develop levels of protection?
- Can we manage and track our development and operations to ensure cost-efficiency?
- Can our results be independently verified?
By framing security this way, risk appetite becomes clear in the most meaningful way, based on the willingness to balance spend against potential risk outcomes. In this framework, risk is upfront, as are the options relative to spending and security posture. Ambiguity around security spending is gone, and the ultimate decision about business priorities and risk appetite is where it should be, with the executive suite.
When buying many things in life, you are faced with size and quality options. A security program is no different. The size is how many assets are under control (protection), and the quality is the level of that protection (what level of threat sophistication can cause unacceptable impact vs. what level is acceptable).
By providing executives plans with sliders that vary the size and quality, you provide them choices. These choices demonstrate how much budget is to be allocated to receive various levels of protection — or conversely, of cyber-risk exposure. The options they do not fund, the CISO is not liable for.
A CISO that plans and delivers like this is in line with other business leaders and can be viewed as a leader at that level. If CISOs believe they don't get enough respect or they aren't heard, it may be because they are not presenting risk/reward-based analysis in line with their C-suite peers.
It is time that CISOs reposition themselves from between a rock and a hard place to become the modern security-economic CISO. This will give them a seat at the executive and board table — not because they can see board-level problems, but because they can cost effectively solve board-level problems.