The Information Security Leader, Part 4: Three Persistent Challenges for CISOs
In the movie “Indiana Jones and the Last Crusade,” Indiana Jones and his father, Professor Henry Jones, must overcome three cryptic challenges to finally come face-to-face with the Holy Grail. The keys to meeting these challenges involve a disparate set of skills: humility, intelligence, commitment and, ultimately, the ability to make a well-informed, risk-based decision.
Three Challenges for CISOs
The challenges for CISOs in today’s business climate likewise require a disparate set of skills. For those aspiring to attain — or remain in — the holy grail of an information security leadership position, they and their teams must make some important changes in three specific dimensions:
- CISOs and their teams must embody two distinct roles: subject matter experts in the technical aspects of cybersecurity and trusted advisers in making recommendations about security-related risks.
- CISOs and their teams need to become confident in addressing four fundamental questions about security-related risks to help guide executive-level discussions toward making better-informed business decisions about managing risks to an acceptable level, as opposed to providing the executives with updates of tactical metrics having to do with security’s activities, work progress and operational costs.
- CISOs and their teams need to learn how to overcome three persistent challenges in identifying, assessing and communicating effectively about security-related risks.
Once they achieve these objectives, CISOs and their teams, like Indiana Jones and his father, can hope to hear from the guardian of the grail: “you have chosen … wisely.”
A Language Challenge
A surprising percentage of information security professionals lack an accurate understanding of risk, in spite of the fact that risk is the very reason for the existence of the business function called information security.
Here are five specific aspects of risk that warrant taking an honest reality check:
- Definition of risk;
- Language of risk;
- Responses to risk;
- Types of risk; and
- Ownership of risk.
One of the critical capabilities for successful, new-school CISOs is a clear distinction between the governance of the business function called information security and the management of security-related people, processes and technologies. In general, new-school leaders are increasing their focus on security governance while simultaneously getting out of the hands-on, operational aspects of security management.
Even so, it’s vital to establish an common understanding that CISOs and their teams do not hold the “Old Maid” card for security-related risks. There is, in fact, an owner for these risks — but it’s not the CISO. As subject matter expert and trusted advisor, the security leader informs and recommends. But the executive decision-maker, who owns the risk, has to decide.
A Measurement Challenge
One of the biggest challenges for CISOs is that security professionals traditionally think of cybersecurity as intangible, which is yet another reason why engaging in executive-level discussions about the question “How secure are we?” makes very little sense. If something is intangible, our instincts tell us it can’t be measured. Not surprisingly, many people with predominantly technical and engineering-oriented backgrounds experience an inherent discomfort in not being able to quantify security-related risks with precision.
Fortunately, quantifying security-related risks with precision is not the goal. Our goal is to help the risk owners make better-informed business decisions in spite of the inherent uncertainties. If something really matters to the business, we should be able to observe something tangible about it. And if we can observe something tangible about it, we’ve found at least one way to measure it. For example:
- If investing in security awareness training for the organization’s users really matters, we should be able to observe something tangible as a result, such as a reduction in the click rates on phishing attacks.
- If clicks on phishing attacks really matters, we should be able to observe something tangible as a result, such as the number of systems that get infected and the time it takes to remediate them, or the amount of data that gets exposed to an unauthorized party.
Security-related risks can and should be quantified, even in light of the inherent uncertainties of measuring likelihood and business impact. For those interested in improving their ability to quantify security-related risks, there are a number of excellent books, standards-based taxonomies and continuing education courses available as potential resources. In addition, there are a growing number of freely available examples of quantifying security-related risks to use as a reference.
The good news is that these more quantitative approaches are not as difficult as you might think — and they get easier with exposure and practice.
A Communications Challenge
Ironically, CISOs and their teams often use emotional and qualitative approaches to communicate risks with business decision-makers. Here are some extremely common examples.
The Latest Headlines
News stories help to convey that a given risk is not merely hypothetical — it really happened to someone, and therefore it could also happen to us. Unfortunately, the wisdom captured in the expression “never let a good incident go to waste” is counterbalanced by the tendency to become desensitized from a never-ending stream of security breach disclosures. Moreover, headlines generally don’t say very much about risk.
Averages Based on Surveys
Averages are easy to communicate, but they provide very little insight and say almost nothing about risk. For example, if survey respondents from several hundred organizations estimate the total cost of a data breach, the average cost per record says nothing about the likelihood of a data breach. We can’t even say that 50 percent of the time the cost would be higher, and 50 percent of the time it would be lower — that would be the median, not the mean or average. In terms of business impact, averages can actually be highly misleading.
Consider the fact that per-record costs of $50, $50, $350 and $350 averages to $200 per record, as do per-record costs of $150, $175, $225 and $250. Not only does $200 per record convey a false sense of precision, but the two distributions of the estimated business impact provide very different insights about the risk of a data breach.
The opinions of experts — where experts could include sitting CISOs, industry luminaries, analysts, authors and academics — are just that: opinions. The truth is, the vast majority of business decisions about security risk are based almost exclusively on the intuition and gut instinct of the decision-maker, who tends to be the highest paid person in the organization (HiPPO).
This is the dial we’re trying to move! Any analysis and communication about security-related risks that results in a decision based on gut instinct is at best not very useful, compared to the status quo. It can actually make matters worse by inspiring the HiPPO to make a bad decision even faster, and with greater confidence.
Qualitative and Semi-Quantitative Risk Assessments
Qualitative and semi-quantitative risk assessments have become extremely popular. They’re manifested in five-by-five heat maps that are typically visualized in vibrant green, yellow and red. Security leaders say they like them because the business decision-makers seem to get it and they often lead to better conversations about risk.
While it’s true that effective communication is not a one-size-fits-all situation, one of the biggest challenges for CISOs is how to communicate in a way that really moves the dial with respect to influencing better-informed decisions about risk. Close behind is the challenge of how to communicate the business value that security provides as opposed to merely communicating some indicators of what services are being provided and what they cost.