Cybersecurity is awash with data and metrics, but true insight is in short supply. So how do CISOs codify, communicate and manage the increasing amount on their plate? Answer: Click left for insight-driven security.

Threats are on the rise, and nobody is more acutely aware than chief information security officers (CISOs).

Among their multiple concerns, CISOs I speak with are most worried about the impact of data and/or privacy breaches. They know attacks are coming from new and diverse sources (nation states, or insiders for instance). To them, it can feel like too much: 63% say staying ahead of attackers is a constant battle and the cost is unsustainable.

Exponential changes in security are coming your way

The security of yester-year was like the Tower of London, with its defined perimeter, small number of entry and exit points and a certain, limited, knowledge of the crown jewels’ location. But today, security requirements have more in common with the London Underground: a distributed perimeter, hundreds of entry and exit points, myriad third parties supporting the infrastructure and tens of thousands of point-to-point connections.

However, they do share one thing: Threats from insiders, malicious or otherwise. For the underground, this means the half-million, give or take, mice that call it home. For today’s businesses, insider threats might consist of a disgruntled employee or one who simply isn’t careful enough when it comes to cybersecurity. It all underscores the need for security to flow through the entirety of an organisation, if it is to be effective.

It’s no surprise security is now higher on the board’s agenda

As board-level leaders become increasingly aware of and educated about the need for cybersecurity, they’re asking for more frequent updates (quarterly in the main, according to my CISO discussions). But here’s the rub: There’s a fundamental disconnect between the metrics CISOs have to show them and what board members actually need to know.

So how do you codify, communicate and manage the modern CISO’s brief in terms the board (or board-level leaders) can understand?

Typically, the board hears about the number of blocked phishing attempts, unpatched vulnerabilities categorised by risk tier, and events generated in the data loss prevention tool. But those metrics don’t help leaders understand risk or make the right decisions on security investments.

<<< Start >>>

The volatile threat landscape in many cases means CISOs are finding annual budgeting processes inadequate.

<<< End >>>

The suggested solution: Click left

Go left one click at a time. That means evolving reports from hundreds of operational metrics to dozens and from there to tens of risk metrics—until you arrive at the key metrics the board needs to genuinely know what’s happening, what’s needed and what to fund.

How to get to that crucial top tier

My experience tells me there are nine questions senior leaders in any organisation should be putting to their security leads to generate those top tier metrics, including:

Risk Posture

  1. What is our threat context (for example, the risks that are most serious for our industry, what’s new and where it’s coming from)?
  2. How well do we understand our security risk, and how are we quantifying our understanding in a decision-useful way?
  3. How well are we managing risk (beyond the # blocked phishing attempts)?

Operational Effectiveness

  1. How efficient are our security operations, and how are we measuring that efficiency?
  2. Are we deriving expected insights?
  3. Are we improving visibility?

Strategy and Initiatives

  1. Are we prioritising/progressing key projects?
  2. Are our customers/citizens secure?
  3. Are we adjusting our strategy as we learn?

The next step is to codify the CISO’s landscape with a blueprint/template, underpinned by the right KPIs, and in a format that can be articulated simply. The exam question for this step is simple: If you have 20 minutes with the board, what are you going to communicate? Bear in mind a side goal is education in general—helping leaders understand what’s important to measure and why, and how these factors influence budgets and priorities.

Good communications determine good investments

Getting your board-level reports right can bring massive implications for budgets, investments and for driving actionable decisions. And just in time, since the volatile threat landscape in many cases means CISOs are finding annual budgeting processes inadequate. As one CISO said at a recent cybersecurity roundtable event, “Threat actors don’t fit into our budget cycles.” Thus, CISOs must build trust and get leaders to engage with and understand their perspective on the security mission and vision.

At the same exec event, CISOs offered their peers this simple advice for leadership budget discussions: Use simple metrics to demonstrate value, in terms that the board and non-technical audiences can understand.

The point: When you click left and keep clicking, you start a journey to clear communications and better understanding—and ultimately, better alignment between priorities and investments. There really is light at the end of the (underground?!) tunnel when it comes to turning metrics into actionable insights.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

 

Giovanni Cozzolino

Managing Director – UK and Ireland Security Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog