Security has become an important topic in the boardroom and based on consistent news of new data breaches, that will probably not change any time soon. Many security leaders are now finding themselves in regular meetings with CEOs and board committees. In these meetings, many of them experience what can be described as a culture clash.
In my previous post in this series, we discussed the more persistent type of defending we need to do. This ‘persistent defense’ model yields more valuable intelligence and a deeper level of understanding of the attackers. It can help take the guess work out of attribution and attacker objectives. But the ultimate question is: how can you use this intelligence to influence business decisions?
Our Metrics Don’t Help Leadership
When senior leaders ask for information around cyber security, it is natural for security leaders to talk about their metrics. Items like number and age of vulnerabilities, account aging, encryption coverage, emails blocked, etc. However, these metrics provide no meaningful information to the leader.
Having been a CISO at a global company, I completely understand the security leader’s instincts. “Of course my leadership cares about these metrics, why wouldn’t they? They are my metrics after all.” On the other side of the table, you have business leaders trying to execute on an overall business plan. They are trying to grow the business, expand into new markets, and deliver new products. They don’t care about patching vulnerabilities; they care about their ability to execute on their business plan. This is where the two worlds collide.
For example, when you use a search engine, do you care about the network utilization in and out of the search engine’s data centers? Do you care about CPU load on their servers? No. All you care about is whether or not you can execute your search. The same is true with business leaders. They don’t care about your vulnerabilities or active accounts; they care about their ability to execute their business plan. Their exposure to cyber security is limited to the knowledge of it stopping other business leaders from executing, so – naturally – they want to know if they have the same risk.
Don’t get me wrong. Standard security metrics are important, but business leaders don’t care about those details. Those details are too far removed from the business plan for them to draw any meaningful correlation.
Security Metrics Can Drive Business Decisions
What if we presented information around who in the company is being targeted by attackers? Or information around which branch offices are being hit with more attacks? How about which projects are being targeted? Business leaders would have a different attitude towards the knowledge that someone is trying to steal the technology they spent five years researching. What about the knowledge that each time the business conducts a market growth activity, there is an associated phishing campaign against leadership? What about the knowledge that with a pending acquisition there is an uptick in the attacks against the accounting department?
Isn’t this type of information a little more relevant to the business’ ability to execute on its plan? In one case, you may be at risk of losing years of R&D work and competitive advantage in the market. In another, you may face competition that knows exactly what is in your future business plan.
I’ve personally seen businesses sitting on a competitive advantage that they didn’t even know about until cyber criminals tried to steal it. Only then was the business tipped off and the advantage realized. If your business is betting its future on a new technology or a new market, it would be pertinent to know that someone is trying to steal the technology or associated market strategy. This is what security leaders can – and should be – bringing to the boardroom.
Yes, stopping attacks is very important, but that’s not the end game. What puts the security leader in the boardroom is their ability to understand the attacks and find the commonality between them to discern targeting and intent. This actionable intelligence enables the business to make deliberate, informed decisions.
Every day, security leaders are asked to provide input and participate in high-level business strategy conversations. Security leaders that are able to shift gears from running an IT security program to providing insights that help execute the business strategy will earn their seat in the boardroom and – ultimately – help change the face of IT security.
We Know What Drives Business Decisions
With most security teams being stretched beyond breaking, Morphick augments existing teams by providing expertise in advanced analytics, detection, and response while providing intelligence that internal teams can use to identify business impact. We want to take our customer’s security program out of the back room and put it into the boardroom. To learn more about how Morphick can provide you the data to drive business decisions, contact us today.
