This is Part 2 in our six-part series on creating a strategy map for security leaders. Read Part 1 here.
The first row of our strategy map for security leaders is about the question that security professionals seem to struggle with the most: What value do you provide?
Confusing Activity With Results
Part of the problem is simply the way we have all come to talk with one another in society. For example, when we meet someone for the first time, it’s only natural to ask, “What do you do?” And it’s only natural that they respond with some variation of their role or job title: “I’m a researcher”; “I teach math”; “I sell enterprise software”; and “I’m the chief information security officer at company X.”
Inquire further, and this new acquaintance is likely to respond with more detail about his or her activities at work. But activity is not synonymous with value. Activity may be the means by which value is created, but the activity itself is not the answer to the extremely relevant business question: What value do you provide?
This confusion of activity with results is why many security professionals mistakenly try to associate metrics initiatives (i.e., a dashboard of performance against preselected outcomes and ongoing trends) and reporting initiatives (i.e., the periodic demonstration of compliance to auditors) — both of which should really be thought of as work progress — with the value that they are providing to the organization. Work progress is important, but it does not represent value.
As noted in “Self-Improvement Agenda for CISOs: What Is Top of Mind for 2015?,” security leaders reported that they feel they are highly effective at communicating things that are important but have limited strategic value — for example, compliance and cost.
For the things that have high strategic importance to the organization, however — such as managing security-related risks or enabling new business initiatives — they feel they are currently much less effective at communicating than they would like to be. It seems obvious that focusing on those strategic outcomes and communicating them more effectively is the key to providing value and remaining relevant.
A Proper Understanding of Risk
A second problem is that a surprising number of security professionals don’t really have an accurate understanding of risk. Here are four specific aspects of risk that warrant an honest reality check.
Definition of Risk
There’s no controversy or disagreement about the proper definition of risk; it’s just that we often don’t use it properly! Risk is the likelihood of something occurring and the business impact if that thing actually does occur. If we’re not talking in terms of likelihood and business impact, we’re not really talking in terms of risk.
Language of Risk
We all do it from time to time, but highly technical people seem especially prone to using the terms threats, vulnerabilities and exploits as synonyms for risk. For example, is phishing a risk? No, it isn’t; phishing is an exploit. Specifically, phishing is an exploit of a vulnerability, which is a human user.
In this situation, what business leaders need to know from their information security team is how likely it is that the organization’s users will fall victim to a phishing attack and what the business impact of a successful phishing attack is estimated to be.
Response to Risk
Not all risks need to be addressed. Some risks may be accepted; some risks may be ignored, which is another form of acceptance; some risks may be transferred to other parties; and some risks may be managed to an acceptable level through an investment in a mix of technical, administrative and physical controls.
A great many security professionals firmly believe in their hearts — mistakenly — that the fundamental objective of information security is to counter all threats, remediate all vulnerabilities and eliminate all risks. The goal is not to implement the best possible security. On the contrary, the goal is to take steps to reduce security-related risks to an acceptable level.
Types of Risk
Not all risk is bad. In fact, business leaders routinely pursue positive or rewarded risks, day in and day out, by making business decisions such as launching a new product line, entering a new market, acquiring a new company, investing in a new technology initiative and so on.
As discussed in “Self Improvement Agenda for CISOs: Four Types of Business Value, Two Types of Risk,” the unrewarded risks of security and compliance have to do with defending assets, minimizing downside and protecting value. Rewarded risks have to do with enabling assets, maximizing upside and creating value. The key point is that both rewarded and unrewarded risks have to do with making decisions and allocating resources in the face of uncertainty. For many rewarded risks, information security has an important role to play as an essential enabler.
The Value of Information Security: Addressing Security-Related Risks With a Strategy Map
With these important clarifications in mind, the answer to information security’s existential question is actually pretty straightforward: The value of information security is to help the organization address its security-related risks.
On the strategy map for security leaders, this is explicitly represented in two parts — manage unrewarded risks and enable rewarded risks — to give equal emphasis to both the traditional, technology-oriented mindset of security professionals and the emerging business-oriented mindset of the next-generation CISO.
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group