A series of workshops with information security leaders from well-known organizations at the NG Security U.S. Summit in December 2014 uncovered some valuable insights that can help chief information security officers (CISOs) drive a self-improvement agenda for their enterprise security teams in the year ahead.
What Is the Business Value of Information Security?
The workshops began with a simple but essential question: What value do CISOs believe their information security programs provide to their respective organizations? The business value of information security is always expressed in one of four high-level categories: enablement, risk, compliance and cost. As expected, group discussions touched on all four of these traditional categories for business value. Like the leaders of any business function, CISOs are regularly asked to address some pretty basic questions with the organization’s C-level leadership. What do you do? How much does it cost? What value does it provide? Answering these questions is how CISOs become and remain relevant.
How Is Business Value of Information Security Communicated?
Approaches to the communication of business value varied widely from one organization to another, as did their perceived utility and success. The following are some mechanisms included:
- Budgeting;
- Benchmarking;
- Risk modeling;
- Reporting for the periodic demonstration of compliance;
- Metrics and dashboards of performance against preselected outcomes and ongoing trends;
- Technical validation of security controls by means of scanning and testing;
- Threat intelligence and other information sharing initiatives to track the security threat landscape;
- Governance activities.
One important insight from the workshop discussions was that the absence of questions or objections from business leaders with which security leaders are communicating is often mistaken for understanding, acceptance or approval. However, awareness is not understanding, and silence is not approval.
Successes and Gaps in Providing and Communicating the Business Value of Information Security
Another important point from the workshops is that security professionals are very good at communicating the things that are important but not necessarily strategic (compliance and cost). However, they are not always so good at communicating the things that are highly strategic (enablement and risk). It’s important to understand the difference between whether something is strategic or merely important. An activity can be important to the business, but it may not be strategic; for example, every company needs to have a payroll system, but having a payroll system is not how a company differentiates itself from its competitors and delivers value to its customers.
With this in mind, a second insight from the workshops is in the placement of the four categories of business value provided by information security in a simple two-by-two matrix. The strategic business value provided by information security is on the y-axis, and the effectiveness of communicating is on the x-axis. In plain language, security leaders need to communicate more effectively about the things that matter most.
For example, we are very effective at communicating about things that are important but don’t have any high strategic value, such as compliance and cost, which participants placed in the lower-right corner. When it comes to the things that have high strategic importance to the organization — such as enablement and risk, which participants placed in the upper-left corner — we currently aren’t very effective.
Obviously, we want to move the latter from the upper-left to the upper-right over time.
Top Challenges for a Self-Improvement Agenda
Unsurprisingly, workshop participants identified risk and enablement as their biggest challenges, along with enhanced visibility, which makes a positive contribution to both. For several examples of the initiatives that are being implemented or considered to help improve these three areas, the full research report, titled “Flash Forward: Self-Improvement Agenda for Security Leaders,” is freely available.
Perhaps the most important takeaway from these workshops is the confirmation that the next generation of security leaders needs to bridge the gap between technology and business. Deliberate, continued progress down this path should be part of the self-improvement agenda that CISOs set for their organization for 2015 and beyond.
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group