Light Dark
July 19, 2016 By Derek Brink 3 min read
CISO
Risk Management

This is Part 3 in our four-part series on the evolution of information security leaders. Be sure to read Part 1 and Part 2 for more information.

To get to the heart of any matter, you need to ask the right questions. Over the last few years, information security professionals are finally coming around to appreciate that “Are we secure?” is not the right question to ask in a risk analysis.

To that, the correct answer is always no. Most everyone generally understands that being 100 percent secure is an unattainable objective. Security always has to be balanced against cost and convenience, and real-world users really do need access to applications, data, systems and networks to carry out their assigned tasks.

“How secure are we?” is not the right question either. Not that this isn’t the question that C-level decision-makers and boards of directors actually ask of their information security leaders — it absolutely is what they commonly tend to ask, verbatim. But what kind of answer could be helpful for making more informed business decisions about security-related risks?

Confusing Activities With Results

Unfortunately, the biggest problem with the question “How secure are we?” is that it tends to lead immediately to discussions about activities, work progress and budgets. This is information about what we do and what it costs, not information about delivering business value.

Make no mistake, organizations that have certain foundational capabilities in place are undoubtedly in a much stronger position to respond effectively to specific security threats, vulnerabilities and exploits as they come and go over time. For example, these capabilities may include:

  • Understanding what systems and applications are in their environment;
  • Keeping their systems, applications and networks securely configured, patched and up to date; and
  • Maintaining visibility into what’s happening in their environment and being in a position to respond quickly when something goes wrong.

But when information security leaders start responding to the question “How secure are we?” with metrics about absolute values, percentages and time, they’re reporting on activities — not on whether they are actually achieving the required results.

Managing Risks to an Acceptable Level

The singular purpose of the CISO and the information security function is to help the organization manage security-related risks to an acceptable level. Logically, it follows that the right questions in a risk analysis are along the lines of “What are our security-related risks?” and “Are we managing our security-related risks to an acceptable level?”

If we have to talk about metrics, the one metric that actually addresses the CISO’s fundamental mission is this: What’s the annualized business impact of security-related incidents, and is that being successfully managed to be within the organization’s appetite for risk? That is to say, does the total annual investment in security-related initiatives plus the total annual business impact of security-related incidents add up to less than the threshold for risk that the organization’s business decision-makers are willing to accept?

Quantifying this threshold for risk will vary from one organization to another, but in any case, this would be the cybersecurity metric that really matters.

Four Fundamental Questions Every CISO Should Be Confident in Addressing (But Most Aren’t)

In practical terms, security leaders need to help their executive-level decision-makers make better informed decisions about risk at a slightly more granular level.

As suggested in the first part of this series, information security leaders and their teams need to interpret and translate the question “How secure are we?” into one of the following four fundamental questions about risk if they want to make a bigger and more valued contribution to their organization:

  1. What is the risk?
  2. What is the annualized risk in the specific context of our organization?
  3. How does an investment quantifiably reduce risk?
  4. How does one investment compare to another, with respect to quantifiably reducing risk?

Conducting a Risk Analysis

Any risk analysis that addresses these four questions needs to be based on the proper definition of risk, where risk is expressed in terms of both the likelihood of occurrence and the business impact if the incident actually does occur. Many security professionals are not confident in their current abilities in these areas, but this kind of analysis isn’t really as hard as it may seem.

Finally, be sure to note that being adept at addressing these four fundamental questions is consistent with the dual roles of the next-generation security leader:

  • The subject-matter expert, who can identify and understand the technical aspects of threats, vulnerabilities, exploits and technologies (question No. 1) and who can recommend context-appropriate options for reducing risk (Nos. 3 and 4); and
  • The trusted advisor, who can quantify and communicate risks properly in terms of likelihood and business impact (Nos. 1 and 2) and who can quantify and compare options for reducing risk to an acceptable level (Nos. 3 and 4).

In the fourth and final blog in this series, we’ll look at three persistent challenges that information security leaders need to learn how to overcome.

 |  |  |  | 
Derek Brink
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature