In most organizations, the leaders of each business function are regularly asked to address some pretty basic questions, such as: What services are being provided? How much do these services cost? And what business value do these services provide?
It’s easy to get caught up in the complexities of information security, but being able to communicate effectively about what we do, how much it costs and what value it provides is about as simple as it gets. Taken together, having crisp answers to these three questions is highly effective as the elevator pitch for the leaders of any business function.
However, note that the answer to the third question in particular — what value do you provide? — is our fundamental raison d’être. Unfortunately, the leaders of the information security function commonly struggle with addressing this question, at least in a way that can be easily understood by other business leaders.
In a recent series of workshops with information security leaders, discussions about the approaches being taken to capture and communicate the answers to these three basic questions varied widely from one organization to another, as did their perceived utility and success.
The following are commonly used mechanisms that are grouped and organized here using the structure of the basic three questions:
What Do You Do?
- Assessing risks by primarily using qualitative approaches, such as low, medium and high or green, yellow and red, or so-called semi-quantitative approaches, in which qualitative estimates could be multiplied by weights that are added up to a numeric score;
- Reporting for the periodic demonstration of compliance with policies and regulatory requirements;
- The periodic validation of security controls (e.g., by auditing);
- The technical validation of security controls (e.g., by means of scanning and testing);
- Benchmarking or implementing initiatives that aim to show that controls and costs are in line with those of industry peers. This calls to mind the old story about not needing to run faster than the bear, just faster than the other people in the woods.
- Aligning with industry guidelines and frameworks, such as basing a program on the National Institute of Standards and Technology Special Publication series or these top 20 critical security controls;
- Threat intelligence and other information sharing initiatives that are focused primarily on the threat, not the risks. For example, phishing is not a threat; it is an exploit of a common vulnerability (a human). The risk is the likelihood that phishing attacks will result in successful exploits and the magnitude of the corresponding business impact if the exploits do occur.
- A wide range of governance activities, such as the processes for making decisions.
How Much Does It Cost?
- Staffing plans;
What Value Does It Provide?
- Metrics and dashboards (e.g., performance against preselected outcomes and ongoing trends).
After an inspection, we can readily see that there is an awful lot of activity around describing what we’re doing but not so much around what business value it actually provides. The words of a chief executive officer friend come immediately to mind: “Let us not confuse activity with results.”
Beneficial or Boondoggle?
This insight begs the question of whether metrics and dashboards are really beneficial to communicating business value or whether they are a boondoggle — work or an activity that is wasteful or pointless but gives the appearance of having value.
Peeling back the layers on metrics, the following are a few examples for extremely common aspects of enterprise security — metrics that have been developed by a team of more than 150 experts from the government, private sector and academia and published by the Center for Internet Security:
- Mean time-to-complete changes;
- Percent of changes with security review;
- Percent of changes with security exceptions.
- Patch policy compliance;
- Patch management coverage;
- Mean time-to-patch.
- Vulnerability scan coverage;
- Percent of systems without known severe vulnerabilities;
- Mean time-to-mitigate for vulnerabilities;
- Number of known vulnerability instances.
- Mean time-to-incident-discovery;
- Incident rate;
- Percentage of incidents detected by internal controls;
- Mean time-between-incidents;
- Mean time-to-recovery.
As interesting and useful as metrics like these may be, can we all acknowledge that they are primarily describing which tasks are getting done — and perhaps how effectively these tasks are getting done — but they are not really describing the business value?
When pressed, most security leaders will acknowledge that metrics and dashboards are often received with high interest and attention when they are first introduced, but over time, they are often perpetuated merely because that’s what we do. An important insight from the workshop discussions was that the absence of questions or objections by the business leaders with whom security leaders are communicating is often mistaken for understanding, acceptance or approval. However, awareness is not understanding, silence is not approval and metrics such as these do not communicate business value.
CISOs Need to Learn How to Communicate Business Value
As discussed in “Self-Improvement Agenda for CISOs: Four Types of Business Value, Two Types of Risk,” security leaders do recognize that information security has a legitimate role in both managing unrewarded risks (e.g., addressing security and compliance requirements) and in supporting rewarded risks (e.g., enabling IT initiatives that create value for customers and ultimately help to grow the business).
While workshop participants identified risk and enablement as their two biggest challenges, these are really two sides of the same coin. Both can be addressed by learning to communicate more properly and effectively about risk. Describing business value in terms of risk is well within the capability of virtually all CISOs, and this approach can be explored further as the conversation continues.