On October 19, 2021, we published the book, "Modern Cybersecurity: Tales from the Near-Distant Future". This is an excerpt from a chapter by Keyaan Williams.
Security leaders have been presenting the wrong information to the business for ages! This struggle persists because business leaders and security leaders often speak completely different languages. The common definition of cybersecurity focuses on confidentiality, integrity, and data availability. While valid, these security concerns are often disconnected from concerns that business leaders have about revenue, operations, regulatory obligations, and the reputation of the organization. Presenting the right metrics provides the key to unlocking effective communication between security and the business. When presented in the right context, metrics can help drive decisions about investment in processes and controls that meaningfully reduce business risk.
Introduction
The struggle around metrics affects all business leaders who strive to measure and communicate the value of their programs. Developing precise data points to highlight the effectiveness of programs, projects, and activities is difficult. The struggle is not unique to security; however, poor security metrics make it difficult to communicate the value of a program that many business leaders already fail to understand. Many policies, processes, and controls that support security are difficult to measure. What is the best way to capture information that describes security? How do we best format and communicate that information in a way that resonates with management, the board of directors and with people who can drive action that supports the goals of the security program?
Executives who receive and process information, such as the Chief Executive Officer, Chief Financial Officer or Chief Information Officer, often have limited knowledge about the inner workings of security. They simply need relevant and actionable information to make decisions. Security leaders who have deep technical backgrounds may overlook the importance of communicating data and information in a format that is beneficial for the recipient. Security leaders must recognize that their counterparts have not spent the same amount of time honing their ability to use security tools, language, and practices. Measuring performance in the security program requires translating the information into a format that all recipients can understand, know what is important and how to respond appropriately.
Presenting the wrong security information makes it difficult to explain what is happening in security and why it matters to the business. The goal of security metrics is to drive action. Action comes from a compelling case supported by evidence that drives a business decision to change, maintain, or avoid some behavior related to the data captured. Sometimes, security metrics justify additional spending or shifting capital that takes away from other business initiatives. Providing the right metrics equips security leaders to make the best decisions for the benefit of the organization.
Communicating Value
People often jump to conclusions or make assumptions about concepts they do not understand. For example, risk has different meanings to different audiences. Risk always has a negative connotation in security, but risk is simply a measure of uncertainty in project management and in capital markets. Similarly, common words used in cybersecurity have completely different meanings in a conversation about forensic analysis practices. Our day-to-day security conversations about confidentiality, impact, privacy, vulnerabilities and threats may not mean the same thing to the person on the other end of the conversation. They come to a different conclusion without the same experience, training, or academic background as the security executive. Non-security business executives may jump to different conclusions if important information is not presented in the right context using the right vocabulary.
We as security leaders must think about who we are talking to and frame our conversation in the right context. For example, If I'm talking to a financial executive, there's all kinds of documentation related to financial risk management so we can have a risk conversation. We can also have a cybersecurity conversation, but it becomes my burden to transform important concepts into a context and format that the Chief Financial Officer understands. Every conversation must be organized and presented in a way that resonates with the recipients of the information rather than forcing the people who have not spent 20 years doing what you're doing to understand what you're talking about.
Misconceptions about Security
Many organizations build their security programs based on misconceptions that security is a technology solution, rather than positioning security as a business solution. The term cybersecurity was originally defined in 2008 within National Security Presidential Directive 54 (NSPD-54), which introduced the concepts of cyberspace, cybersecurity, cyber assets, and outlined essential safeguards required to protect government and defense systems. This definition leads many organizations to focus on protecting computer systems and networks from the theft, damage, disruption, or misdirection of services that store, process, and transmit digital information. Maintaining this legacy perspective to drive security priorities and emphasize technical controls while minimizing investments in security people and sound security processes is a mistake.
Many executives and board members believe that third-party assessments, compliance audits, penetration tests, and cyber insurance provide a strong foundation for security. However, the U.S. Federal Trade Commission (FTC) and global organizations like the Organization for Economic and Cooperative Development (OECD) recommend security expertise at the board level because they recognize that security requires more than compliance and insurance to achieve success. The board and management require actionable information to drive action and justify decisions.
Security leaders must transform technical jargon found in standards from the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Center for Internet Security, and others into business language that resonates with the board and the business leaders. The context of security is the key that unlocks the Rosetta Stone for communication that delivers relevant and actionable information and allows executives to make informed decisions.
People, process, and technology are part of the conversation that highlights whether the organization has adequate resources to satisfy business requirements while achieving cybersecurity goals. Conversations with the board and management should focus on the relevant risks the organization faces, and how people, process, and technology are deployed to respond effectively to that risk.
Measuring Risk
An effective risk management program clearly establishes risk appetite (how much risk we are willing to accept) and risk capacity (how much risk are we able to accept). This ensures limited resources are applied properly to respond to the organization's most significant risks. Once risk is identified and its impact understood, there are four response options: accept it, reduce it, transfer it, or avoid it. Measuring the risk, and the effectiveness of response measures, helps justify security investments that contribute to successful risk management. Measurement also documents how resources were used and what results were produced.
Just as it is in science, the method of measurement is important, and measurements are only effective if everyone agrees on the method. Using standard methods of measurement ensures everyone understands what is being measured and the effect of those results. Confusion exists when different methods of measurement apply to the same activity. For example, deciding whether to walk or drive depends on how distance is communicated. Walking is more appropriate to travel 15 meters than driving, whereas driving is recommended to travel 15 kilometers because of the significant loss in productivity from walking that distance.
The same principles apply in a security context where the security executive must transform security metrics into a format that everyone understands. Measurements for security must relate to what the business values and understands. Success depends upon presenting metrics in the right context and ensuring the method is agreeable because the results affect business decisions and behaviors. Most people receiving security metrics and using the information to make business decisions are non-technical executives who do not speak “traditional security.†They need transformation of the data and the information into a format that helps them understand what is important and what must be done to protect the organization.
The optimal approach for communicating the value of security using metrics is to use the right framework to present the right information in a business context that drives actions and decisions from the right stakeholders.
The Right Framework
Many frameworks exist to support security program management and the activities required to establish and maintain acceptable levels of confidentiality, integrity, and availability of data used in an organization. Only a few resources exist, however, to measure the performance of the security program. Security leaders need a framework to develop metrics that measure the performance, effectiveness, and impact of their security programs. The framework must be flexible to support various industries and communicate security measurements in a business context.
The Performance Measurement Guide for Information Security outlined in NIST Special Publication 800-55 (Revision 1) provides standardized guidance for identifying the adequacy of in-place security controls, policies, and procedures using metrics. The adequacy of controls, policies, and procedures is the most important information that security leaders can present to the board, management, and other stakeholders. The ability to customize and categorize metrics using this framework provides numerous benefits. Telling a true story about the organization helps drive decisions about where to invest and what additional resources are required to achieve risk management objectives. Distinct categories for metrics ensures the right information is communicated to stakeholders. The framework is superior to a generic “Top 10†list of metrics and ensures the measurements that describe the security program are uniquely tailored to the specific organization. The ability to describe the status of security along with the impact and consequences of the organization's decisions using fact-based evidence compels business stakeholders to properly respond to the situation.
NIST divides metrics into distinct categories that serve specific purposes for different stakeholder groups. Implementation measures focus on administrative controls and the execution of the security policy. They provide information for the security executive and the immediate stakeholders of the security program to describe how well policies, procedures, standards, and guidelines are executed to achieve cybersecurity and risk management goals. Effectiveness and efficiency measures focus on technical controls and measure the results produced by delivering security services like authentication, access management, encryption, and vulnerability management. These measurements provide the most value for the managers and employees who are directly involved in the configuration and management of the services. Impact measures describe the business or mission consequences of a security incident and serve as the primary metrics reported to the board and management. They describe in measurable terms the extent to which the organization is delivering services that reduce risk to an acceptable level and maintain that level of performance over time.
This has been an excerpt from Keyaan Williams's chapter, "Metrics that Matter: The business context of cyber risk management" in the newly released book, "Modern Cybersecurity: Tales from the Near-Distant Future". You can read the rest of the chapter as a free, digital download or purchase a hard copy on Amazon.