Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Success Enablers or Silent Killers?

These five success enablers will help CISOs report, measure, and demonstrate ROI to the C-suite.

CISOs today are challenged to report, measure, and demonstrate return on investment to the C-suite and board. CISOs must address these success enablers, because if they don't, they become silent killers. The lack of ability to report, measure, and demonstrate ROI has been keeping CISOs from a strong and enduring relationship with the C-suite.

The following is a high-level cycle of five success enablers. The first, if successfully set up, enables the second, and onward, with the last reinforcing the first.

1. Security Goals That Don't Resonate with the C-Suite and Board
We often hear: "Security is a journey, not a destination." That's a real problem for business executives because they're driven by results. They have a fiduciary duty to shareholders to get the most value from an investment. If CISOs have not established security goals that resonate with executives, there isn't a destination to showcase. In this way, security becomes a journey without a destination. Unfortunately, for CISOs that's often a journey to C-suite discontent and onward to a new organization.

CISOs should align their cyber resilience goals around business crown jewels. These are top-of-mind business assets that have executive and board-level significance and are clearly critical to business success. This way, it is crystal clear the value that security can provide and doesn't need to be supported with a regulatory and complex probabilistic impact argument.

2. A Strategy That Doesn't Clearly Interlink Height, Depth, and Breadth of Cyber Resilience
Most security strategies weakly establish the height, depth, and width of what we might call the "cyber resilience wall." This is an oversimplification in security terms but an easy way to connect with business leadership to agree on key concepts to frame impact control expectations and security costs.

Threat sophistication covers a full spectrum of capabilities — from accidental to nation-state. Commensurately, the sophistication necessary to counter them varies — as do the costs. Controls and control groups can calibrate costs to defend to various levels. And the CISO should be able to pitch cost levels of cyber resilience. Let's call this the height of the cyber resilience wall.

Not all security controls act in the same way. Some controls predict to help prioritize defences, prevent to stop/divert attacks, detect to alert responders, respond to handle attacks and impacts, and recovery to learn, recoup, and mitigate. Let's call this the depth of the wall.

The width of the cyber resilience wall is scope and coverage. Controls often don't have a firm grasp of scope (e.g., do I know where all the important data is?) and rarely achieve full coverage of known scope.

These three dimensions directly influence the business plan.

3. A Business Plan That Doesn't Provide the C-Suite with Clear Risk Appetite Choices
You buy "security" to protect against impact. You can do that by preventing the breach that leads to impact, or by handling the breach such that impact doesn't cross a line of "unacceptable" quantity. CISOs are poorly armed today to robustly justify the quantity of impact control that specific budgets can buy. And that's very frustrating for executives. Because there isn't a strong correlation between security investment and control of impact, it's easy to executives to cut budgets, or to under-budget, and not feel repercussions. This's why "risk appetite" has been so elusive.

4. Inconsistent SecOps KPIs, Metrics, and Reporting
Because most control leads and security frameworks largely focus on the technical side of security controls, they don't effectively run it like a business.

Consequently, security controls aren't measured to a core set of KPIs that accurately predict performance results. Security control KPIs are often inconsistently chosen and measured, and that leads to poorly calibrated, ineffective, inefficient controls, which often set a false sense of security, deliver weak cyber resilience results, and burn a lot of cash.

5. Inability to Show Results That Matter in a Convincing Manner
One of the best and clearest ways to show results is a well-structured set of red-team exercises.

Red teams can be particularly valuable because they can variably emulate threat sophistications and tactics, they can be multimodal (that is, cyber, physical, social), and be pace-throttled.

More importantly, they should aim at strategic security goals (with the ability to act variably and evaluate SecOps performance), robustly evaluate strategic priorities, and prove SecOps performance — down to the control and specific resources levels. In this way, red teams can be the objective rudder on the security program.

The Rodney Dangerfield Effect
If CISOs don't address these success enablers, they will have a difficult time propelling themselves to a position of appropriate influence or maintaining their position. They will then experience poor perception and traction, and frustration from executives. They may not receive the funding or resources they need, or executives won't be convinced they're delivering satisfactory results.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "10 Security 'Chestnuts' We Should Roast Over the Open Fire."

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.