Many CISOs struggle to build a compelling business narrative around their cybersecurity efforts. So when they stand before C-execs or board members, they turn to quantitative measures to craft a basic blocking-and-tackling story (check out how many suspicious connections our firewalls blocked last quarter) and watch eyes glaze over. What’s missing from these number-packed tales, according to 2018 CyberCrime Symposium presenter Summer Fowler, is any business context.
When CISOs measure their cybersecurity success using metrics that support business objectives and contextualize data points so they can communicate findings in business terms, executives sit-up and listen, said Fowler, chief security officer at Argo AI. In a working session marked by high audience participation, Fowler walked attendees through an exercise designed to help them identify cybersecurity metrics that align with their business objectives. She took them all the way to the C-suite: Armed with metrics that resonate with leaders and versed in business-speak, CISOs can secure the resources they need for cyber-resilience initiatives.
“Among the attributes of an effective CISO is a mind for metrics,” said Fowler. “Measurement and metrics play into every step of the cyber-risk management process.”
Seven-Step Program for Frustrated CISOs
To derive relevant cybersecurity metrics that support business objectives, Fowler advised attendees to adopt the GQIM (goal-question-indicator-measure) method. The GQIM process, a five-step model designed to accommodate changing objectives, takes CISOs through a series of tasks, from identifying business objectives that depend on cyber-resilience to identifying the cybersecurity metrics that support them.
When measuring cybersecurity success, “everything starts with a strategic business objective,” Fowler said. After selecting a few business objectives, CISOs define cybersecurity goals for each, and continue to drill-down down until they identify relevant measures.
However, GQIM covers just the first steps of the seven that CISOs need to take to support business decision processes. “It's half of the equation that leads to informed decisions,” Fowler said. These steps start with identifying a strategic objective and proceed until CISOs can create a synthesized report that helps executives in their decision-making efforts.
To illustrate the processes within each step, Fowler chose a global business whose strategic business objectives included maintaining its leadership position and protecting its standing as one of the world’s most respected brands. Among the cybersecurity risks that prevent them from achieving this objective: the unauthorized access, theft, or destruction of customer or employee personally identifiable information (PII) data stored in databases across the network.
To demonstrate how to establish cybersecurity goals that mitigate this risk and support the stated objective, Fowler homed in on asset management — specifically, establishing an asset management program to identify and prioritize all of the company’s assets — systems, databases, PII data, employees — so the CISO and technical team can operate a cybersecurity incident center to protect those assets.
Finally, she walked attendees through the seven steps — triggered off strategic business objectives — that build organizational resilience:
Step #1: Goal
Develop one or more cybersecurity goals for each strategic objective. Determine the security actions that will help achieve an objective, said Fowler, and narrow these to a couple with high-payoff potential.
Step #2: Question
Come up with a few questions that, when answered, will help determine whether team members have made substantive progress toward achieving their cybersecurity goals. For instance, what’s the process for identifying assets? How are they prioritized? What’s the process for validating and updating the asset catalog?
Step #3: Indicator
Identify one or more pieces of data required to answer each question related to cybersecurity goals. Indicator data for asset management can include documented processes for identifying assets or an asset catalog with asset profiles.
“Once you have these indicators, you can think about meaningful metrics that will bring some business context to the effort,” Fowler said.
Step #4: Measure
Identify one or more metrics that use select indicator data to answer questions. If the indicator is an asset catalog, a meaningful metric would be “percentage of assets with complete asset profiles.” Measuring progress against this metric will inform CISOs on the status of the asset management program and help them mitigate data loss and theft risks.
Step #5: Key Performance Indicators (KPIs)
These indicators use historical data to provide an overview of the organization’s past performance. CISOs can use them to see if they’re reducing cyber-risk. The long-time use of KPIs — beyond bringing context to metrics — help CISOs get cybersecurity on the executive agenda. Plus, the traditional KPI report format works for CISOs, who aggregate technical metrics in easily digestible executive dashboards.
Step #6: Key Risk Indicators (KRIs)
Unlike KPIs, KRIs look ahead. When tied to KPIs, KRIs help CISOs classify risks based on their potential to adversely impact business objectives. If the KPI for the asset management program is an increased percentage of assets with complete profiles, said Fowler, then a KRI might be the fact that 30% have no assigned asset owner. Another KRI: The company’s highest-priority database is accessed by 35 roles and 45 business processes, which complicates the job of implementing strong cybersecurity controls.
“When we think about the biggest breaches, we immediately think about the victimized organization’s patching program,” said Fowler. “If nobody owns a specific asset, then nobody’s accountable for managing and protecting it. When 30% of assets don't have assigned owners, that’s a big risk.”
With KPIs and KRIs identified, CISOs are able to put context around performance and risk levels, said Fowler. But, as she reminded attendees, they now have to be able to translate their tech speak into business language so they can focus leadership concern.
She asked, “What wisdom can the CISO bring to executives to support decision-making and to their technical teams to dictate cybersecurity actions?”
Step #7: Synthesis
Here, the CISO distills that wisdom for easy consumption. So, one KRI correlates to the asset inventory effort, which has thus far identified and prioritized 70% of all assets. Thus, the Executive Synthesis for the asset program captures this figure. It further specifies when the cybersecurity and partner teams will reach their goal of 100%, and ties it to the business objective to protect the company’s brand and reputation by protecting customer and employee data. In addition, the synthesized report specifies the financial investment and staff resources that the CISO is requesting to accomplish this goal.
Meanwhile, the Technical Team Synthesis details the tasks — reviewing the roles accessing the high-priority database and tightening restrictions, establishing new monitoring guidelines for private customer and employee data — that the cybersecurity tech team will take on to complete this initial project phase.
Among the numerous benefits gained through Executive Synthesis metric reports is that they force CISOs to think like a leader. They have to put themselves in the decision-maker seat to understand what information to share — and how to share it.
“If executives decide not to allocate the requested money and resources, they’re making that decision knowing their risk exposure,” said Fowler. “That’s because their CISO presented all the elements contributing to that exposure, and communicated risk in their own language.”
This is the sixth in our series of posts presenting key takeaways from our 2018 CyberCrime Symposium, held November 1-2, 2018. The program — “The Future of Privacy and Security” — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, this is a not-to-be-missed series!