Within Security Operations Centers (SOCs), and throughout IT security departments, people and tools rule supreme. Cybersecurity management within most organizations is dictated by spending on human resources and technology, with little to no emphasis on Return on Investment (ROI) analysis, and little to no proof-of-value analysis on the myriad of security products in use.
As a result, much confusion within the cybersecurity industry exists concerning the true effectiveness and Total Overall Cost (TOC) concerning security tools. Customers making use of cybersecurity products tend to ask ambiguous, irrelevant questions like, “How long has it been since we’ve had a successful breach?” Unfortunately, this question is not fruitful. Breaches are inevitable, and this thinking is not proactive. Answering this question will not mitigate future risks, which is all that counts. Leaders are scratching their heads wondering what works, what does not work, and how to strengthen their cybersecurity posture for future.
One key obstacle that organizational leaders need to overcome are aversions toward cybersecurity success metrics and data baseline and validation. Changing the culture however, must be accomplished through a top-down approach, starting with organizational leaders readdressing the role of security in their business.
Consider the business hierarchy in the following:
-Executives are responsible for making the risk decisions.
-Operations staff execute the executive’s risk decisions.
-CISOs are relegated to management roles far below C-level positions.
As a result, CISOs are omitted from risk or budgets for decisions and left to try and convince the Executive team to give them funding for a non-revenue producing task. Given that revenue-generating divisions can leverage metrics and ROI in their pitch for funding, who do you think most executives choose in that contest?
Moving forward, security leaders must elevate their role in the business, integrating cybersecurity into enterprise risk management. This transformation will start by establishing baseline success metrics to measure cybersecurity in relation to existing risk management frameworks. Doing so will improve situational awareness, provide actionable intelligence to drive cost-effective decisions and establish cybersecurity maturity for a company.
Driving Effective Risk Management within Cybersecurity Operations
With the recent publicity influx on breaches, company board members and C-level executives are well aware that cybersecurity is a business issue. They know the risks, and fear breaches. Most organizations have noble intent when it comes to investing in their security, pouring money into the latest and greatest technology. Time reveals that these companies spend blindly—they have no method to measure the success of those products. They cannot calculate their return on investment, and ultimately cannot strategize intelligently for future investments in their cybersecurity operations. As a result, business executives have tightened the purse strings for security teams, leaving CISOs to struggle for the funding they need.
To further complicate this issue, security leaders do not speak in the business language and cannot facilitate an effective conversation around the stark realities of cyber risks. Simply suggesting worst-case scenarios is no longer good enough. To mature the organizational risk posture, CISOs must articulate mitigation value, operational efficiency, and security effectiveness in business terms.
Following these suggestions naturally leads to the adoption of Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs) for cybersecurity while removing the counterproductive “group think” mentality. Even business privacy products are starting to offer innovative solutions. Tapping into these innovations requires the right expert partner. Specifically, an industry partner should be able to accomplish three major tasks for your organization:
- Help struggling security teams fully understand their security posture and prioritize their risks. This includes determining the business privacy products to meet these objectives.
- Provide full visibility into vulnerabilities and threats for all devices in a manner that drives KPIs and KRIs by leveraging the right mix of identified products and services.
- Calculate the fiscal impact and KPIs to the organization from avoiding potential cyber damage and successfully implementing cyber-protection tools, procedures, and practices. This step is accomplished through an established governance model that helps grow and shepherd success metrics and reporting.
Following these tasks enables security teams to make the most out of their technology while decreasing waste and duplicity within the security stack. More importantly, this drives to the heart of understanding how cybersecurity is performing within a business, and empowers alignment between cyber and risk management policies.
Along with implementing success metrics and ROI for cybersecurity, CISOs can, and should, revolutionize their position within a company—ultimately improving the cybersecurity footing of their entire organization.