Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Success Enablers or Silent Killers?

These five success enablers will help CISOs report, measure, and demonstrate ROI to the C-suite.

CISOs today are challenged to report, measure, and demonstrate return on investment to the C-suite and board. CISOs must address these success enablers, because if they don't, they become silent killers. The lack of ability to report, measure, and demonstrate ROI has been keeping CISOs from a strong and enduring relationship with the C-suite.

The following is a high-level cycle of five success enablers. The first, if successfully set up, enables the second, and onward, with the last reinforcing the first.

1. Security Goals That Don't Resonate with the C-Suite and Board
We often hear: "Security is a journey, not a destination." That's a real problem for business executives because they're driven by results. They have a fiduciary duty to shareholders to get the most value from an investment. If CISOs have not established security goals that resonate with executives, there isn't a destination to showcase. In this way, security becomes a journey without a destination. Unfortunately, for CISOs that's often a journey to C-suite discontent and onward to a new organization.

CISOs should align their cyber resilience goals around business crown jewels. These are top-of-mind business assets that have executive and board-level significance and are clearly critical to business success. This way, it is crystal clear the value that security can provide and doesn't need to be supported with a regulatory and complex probabilistic impact argument.

2. A Strategy That Doesn't Clearly Interlink Height, Depth, and Breadth of Cyber Resilience
Most security strategies weakly establish the height, depth, and width of what we might call the "cyber resilience wall." This is an oversimplification in security terms but an easy way to connect with business leadership to agree on key concepts to frame impact control expectations and security costs.

Threat sophistication covers a full spectrum of capabilities — from accidental to nation-state. Commensurately, the sophistication necessary to counter them varies — as do the costs. Controls and control groups can calibrate costs to defend to various levels. And the CISO should be able to pitch cost levels of cyber resilience. Let's call this the height of the cyber resilience wall.

Not all security controls act in the same way. Some controls predict to help prioritize defences, prevent to stop/divert attacks, detect to alert responders, respond to handle attacks and impacts, and recovery to learn, recoup, and mitigate. Let's call this the depth of the wall.

The width of the cyber resilience wall is scope and coverage. Controls often don't have a firm grasp of scope (e.g., do I know where all the important data is?) and rarely achieve full coverage of known scope.

These three dimensions directly influence the business plan.

3. A Business Plan That Doesn't Provide the C-Suite with Clear Risk Appetite Choices
You buy "security" to protect against impact. You can do that by preventing the breach that leads to impact, or by handling the breach such that impact doesn't cross a line of "unacceptable" quantity. CISOs are poorly armed today to robustly justify the quantity of impact control that specific budgets can buy. And that's very frustrating for executives. Because there isn't a strong correlation between security investment and control of impact, it's easy to executives to cut budgets, or to under-budget, and not feel repercussions. This's why "risk appetite" has been so elusive.

4. Inconsistent SecOps KPIs, Metrics, and Reporting
Because most control leads and security frameworks largely focus on the technical side of security controls, they don't effectively run it like a business.

Consequently, security controls aren't measured to a core set of KPIs that accurately predict performance results. Security control KPIs are often inconsistently chosen and measured, and that leads to poorly calibrated, ineffective, inefficient controls, which often set a false sense of security, deliver weak cyber resilience results, and burn a lot of cash.

5. Inability to Show Results That Matter in a Convincing Manner
One of the best and clearest ways to show results is a well-structured set of red-team exercises.

Red teams can be particularly valuable because they can variably emulate threat sophistications and tactics, they can be multimodal (that is, cyber, physical, social), and be pace-throttled.

More importantly, they should aim at strategic security goals (with the ability to act variably and evaluate SecOps performance), robustly evaluate strategic priorities, and prove SecOps performance — down to the control and specific resources levels. In this way, red teams can be the objective rudder on the security program.

The Rodney Dangerfield Effect
If CISOs don't address these success enablers, they will have a difficult time propelling themselves to a position of appropriate influence or maintaining their position. They will then experience poor perception and traction, and frustration from executives. They may not receive the funding or resources they need, or executives won't be convinced they're delivering satisfactory results.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "10 Security 'Chestnuts' We Should Roast Over the Open Fire."

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...