Arsgera - Fotolia
Oversight of cybersecurity programs, whether at the board or executive leadership levels, has always been a challenge. Typical questions that officers and directors ask range from the broad, "Are we secure?" to more detailed questions about metrics, such as, "How many vulnerabilities did you fix last quarter?" The answers to these questions may not help to indicate true program effectiveness. These types of queries often signal a lack of understanding about ways to hold cybersecurity teams accountable, and a lack of vision about how cybersecurity can actually help grow the business.
Attempts have been made to help cyber outsiders ask the right questions of security team leaders to improve the effectiveness of executive oversight. The National Association of Corporate Directors has put out some great guidance on what questions to ask, and what approaches to take when expanding IT security's role to more of an enterprise risk mandate. The more that boards and leadership teams understand the wide-ranging responsibilities of cybersecurity teams, the better they can hold them to account.
Pivot the cybersecurity oversight mindset
Chief Information Security Officers (CISO) should be held responsible for more than their perspectives on risk. When thinking through the prism of a traditional SWOT (Strengths, Weaknesses, Opportunities and Threats) model, cybersecurity oversight typically hones in on the weaknesses and threats side of the equation. CISOs tend to heavily index in these areas to address the issues that may prevent a business from meeting its objectives. However, by staying in the weaknesses and threats quadrants, cybersecurity becomes more an insurance program than a potential growth driver.
Though it isn't wrong to think about the threats and weaknesses from an oversight and risk management perspective, it usually leads to financial dialogues that sound like insurance policy purchase discussions. Questions like, "What percentage of IT spend should the cybersecurity budget be?" are used to make appropriations decisions at budget time; this is similar to determining the price of insurance coverage on your business or your house based on its value. The conversation should actually be far more nuanced, because otherwise it omits the strengths and opportunities side of the equation. The key pivot to make is from an insurance mindset to an investment opportunity mindset that stimulates growth, addresses weaknesses or accomplishes both at once.
Changing the mindset to focus on strengths and opportunities completely alters the tenor of the dialogue and the potential outcomes. Of course, cybersecurity and risk management are used to protect the business by addressing weaknesses and threats, but what if there are ways to also hold cyber teams accountable for identifying the strengths and opportunities? Are there areas of the business that teams are not currently focused on that an organization could be the best in the world at? It's entirely possible that a CISO working across the entire business may have exactly those insights to share. Lines of questioning around strengths and opportunities tend to expand the mindset rather than weaknesses and threats, which tend to shrink the thought process.
By not limiting focus to weaknesses and threats, leadership gets more out of CISOs by asking them to leverage their knowledge and to grow their own perspectives on the business. It is a straightforward, linear process to think about how to prevent the negatives, but the data should exist in the cybersecurity mindset to also generate business-level ideas. Not only should companies hold cybersecurity leaders to account for protecting the business, but they should be able to use their knowledge to move forward strategic strengths and opportunities.
As a corollary example, businesses do not expect CFOs to think solely about protecting the finances of an organization. They are also expected to think of ways to grow the top and bottom lines, whether by generating ideas about new products or revenue streams, or by improving organizational efficiencies. To truly earn their seat at the table, CISOs must be expected to think in a similar way.
New lines of questioning and accountability
In any meeting, the goal is to leave with new insights and new directions for oversight, approval processes or obtaining feedback. CISOs need to be challenged to think about their work from the perspective of business improvement and contributions to overall business objectives by generating strengths and opportunities.
The best example of this is when security "shifts left" in a development process to be more integrated when the engineers write code rather than waiting to test a finished product. The latter approach is highly disruptive to engineers who must interrupt their work to stop and fix problems in the process of iterative repair. The traditional KPIs for shifting left in the development process include metrics such as a decrease in the number of vulnerabilities or defects since they are now caught earlier in the process. While this is an effective measure of impact from a cybersecurity lens, it does little to truly highlight the business impact.
The true impacts of this statistic are that fewer defects mean increased efficiency for engineers, less reworked code, faster product releases and faster revenue capture for new features and products. While it is important to highlight the decrease in vulnerabilities, the opportunity achieved was decreased time to market. As an added benefit, a new strength may be an increased awareness from engineers on how to write secure code. This new strength could also be measured to show increased efficiency over time and subsequently a product differentiator in the marketplace.
When considering lines of questioning for a CISO, challenge them to think about how to grow the business, highlight strengths and explore opportunities. Questions that may complement more traditional risk oversight questions include:
- How have you decreased friction (or increased output) in the product development lifecycle?
- What product improvements can we make to differentiate us in the marketplace?
- What is your trend on decreasing vendor onboarding times or decreasing the length of the sales cycle?
- What percentage of time are teams spending investigating or responding to security- related issues? How is that tracking over time?
- How are you growing the total addressable market of our products and services?
Obviously, questions will be dependent on business type, but the shift in CISO mindset and oversight is crucial. With this shift, CISOs are forced to look outside the walls of their team, better understand the business, thereby generating more productive insights. All too often, CISOs are asked to measure things in an insular fashion which only increases the myopia. CISOs and their teams can be leveraged more effectively by broadening the lens and asking questions that include all aspects of the SWOT model.
About the author
Nick Vigier is a CxO advisor of Cyber Strategy at Coalfire. Vigier is a technology and security leader focused on innovation to drive business results. In his 15 years of security leadership, he has focused on building high-performance teams to ensure security is a business driver rather than a cost center. In his current role at Coalfire, he takes his learnings as a CISO and CIO in a variety of industries to help leaders consider security as a business enabler and not just an insurance policy. Nick is passionate about looking at intractable problems in new ways to find solutions that benefit everyone while growing trust and efficiency.