teissTalk: Cybersecurity as a business metric - giving your C-Suite the data to govern

Views on news

Iran will “absolutely” respond to the US and Israeli air strikes with cyber-attacks against a wide range of targets in the Middle East and beyond, Google’s chief of cyber threat intelligence has warned. John Hultquist, chief analyst of Google Threat Intelligence Group (GTIG), made the comments at an event hosted by the Royal United Services Institute (RUSI) defence think tank in London. This intel will raise a lot of issues on the executive level with the financial infrastructure and supply chains becoming likely targets for ramped up attacks. That said, Iran is still far from being an attacker with the most advanced cyber weapons. These attacks can be executed, however, by both Iran as a nation state and groups sponsored by the Iranian state. 

From vanity metrics to meaningful reporting

Executives won’t understand the metrics that cyber security professionals traditionally present them with, such as X thousands of patches or the number of attacks the company’s firewall has fended off. But, increasingly, new, more relevant metrics are emerging such as improvements in risk tolerance, the level of compliance with the company’s own policy or how much time it’ll take to recover 90% of the operation. The accuracy of data is always key to how meaningful and useful these metrics are.  From a CEO’s perspective, though cyber security as such isn’t relevant either unless it’s translated into business metrics. Security experts must explain to CEOs why they should care about these metrics from the business’s point of view. Compliance and drawing more investment are reasons more likely to make the case for cyber security investments. 

The atmosphere in the boardroom is changing, though – thanks particularly to non-execs. Regulation is playing a role in this change too as it makes CEOs personally and financially responsible for cyber incidents. What we can expect in response is CEOs first taking out insurance to protect themselves and only change their attitude later, when premiums of these policies get too high. Executives can always argue that they weren’t given the right data by security staff – but they also have the responsibility to ask the right questions – regulators are not only interested in the results of pen tests but also whether the kind of pen test performed was in line with the risk tolerance of the company. 

To communicate effectively with the board, CISOs should look at the minutes and agendas of previous meetings and see how the CFO and others in the C-suite report to it. The metric that shows how many people fell for a phishing test isn’t constructive – a metric reflecting a better culture would be how many people reported the phishing attempt. Benchmarking against industry peers is meaningful only if participants share true metrics. CISOs, however, are required to provide them at the board’s request. Moreover, benchmarking can be leveraged to get more money for the cyber security function if it can demonstrate that the company is lagging the industry average. 

 

The panel’s advice

• While earlier CEOs wanted the company to be at the top in terms of cyber security, today they are aiming for getting a bit better than the majority of the pack.
• A company can be 2.5 on the NIST maturity scale but may have proven multiple times in rehearsals that it can recover its environment onto fresh hardware in six hours. Therefore, metrics must be assessed in context.
• The CISO shouldn’t be installing patches, only know what good looks like and request improvement if some aspects of business’s security posture are not up to scratch.
• As a CISO, build one-to-one relationships with board members.