Maksim Kabakou - Fotolia
Security Think Tank: Security risk ratings key to security/business understanding
How can security professionals communicate effectively with the board and senior business leaders – what works and what doesn’t?
The role of chief information security officer (CISO) was originally created to manage technology risk within the enterprise. But now the CISO role is being reshaped by the greater role that security is required to play in business, and the need to protect a rapidly expanding portfolio of digital assets without inhibiting the business from meeting its goals.
This is visible from several perspectives. CISOs and their teams must be able to communicate the organisation’s information risk exposure and the measures needed to protect the business, and do so in language that board members, business leaders and other non-technical people can understand. Simultaneously, it is essential to understand business objectives to ensure that the organisation’s overall security posture aligns with business risk.
To achieve this, the most successful CISOs tend to develop broad, leadership-level responsibilities that encompass or integrate with many domains and individuals across the organisation. The alignment of the information security programme with business issues – for example, regulatory compliance status – can also be shown as direct links from the CISO’s domain to overall organisational wellbeing.
And with the CEO and board increasingly wanting detailed insight on the organisation’s risk posture, occupants of the CISO role have a strong case for a more direct reporting route to the top of the organisation.
Key performance indicators (KPIs) and key risk indicators (KRIs) are two standard ways of reporting risk posture to business leaders. Performance details what has happened, and of course risk explains what might happen. The metrics included in these groups will develop over time; overall, they fall into the buckets of operational (such as mean time to detect/respond [MTTD/MTTR], phishing campaign failure rate, and patch coverage) and strategic (such as vulnerabilities by criticality based on system/data affected, risk assessments maintained, and compliance).
The CISO’s objective should be to demonstrate a positive trajectory that manages security posture in line with risk appetite, while simultaneously enabling the organisation to execute on its business strategy.
Read more from Computer Weekly’s Security Think Tank about how infosec can communicate with the board
At Ovum, we see evidence of increased use of security risk ratings. Similar to a credit reference score, basic and more advanced scores are increasingly being made available for organisations to see how secure their external environments are at a moment in time. Such easily understood quantitative measurements ensure that CISOs and business stakeholders share a common understanding.
Working with the board and leaders across the business is not static. Engagement and reporting should be dynamic, documenting ongoing change across the enterprise. As organisational leaders are increasingly involved in engagement and reporting for business and security risk, the lingua franca of business and security will become increasingly aligned – a significant step forward for the organisation and for the practice of enterprise cyber security.