Security success is about more than just blocking attacks; you need to know how to speak to the business.
When Paul Furtado, VP and analyst at Gartner, took the stage at MES Spring this year in Orlando - an event hosted by our partner, the MES IT Network - he spoke about the metrics that drive security investment.
The problem, he said when we talked this month, is those investments are often misaligned, focusing on tools instead of protection.
"Vendors do a good job of telling us tools are the solution to what ails us, but it might just be governance, policies or processes. If your tools are really so poor, you've probably been breached already."
Winning executive support
It won't be a shock to anyone that to secure investment, you need to be able to present a case to the board. Soft skills come into play here.
The issue is that, for years, security has been treated as purely technical. We have a generation of CISOs who never had to talk to business leaders before being promoted. Now, they don't know how.
Here's the most important advice to follow when talking to business leaders:
- Avoid being too technical. "Stop talking about technology," says Paul. "Start talking about risk and the impact on business outcomes. Some executives still see IT as a cost centre; if you want to get out of that box and be seen as more strategic, you need to change your language."
- Include crucial data. Avoid delving into the nuts and bolts, but you should always come to managers with data-based facts. "That makes it impossible to dispute. Then, executives have the data to make a decision."
- Make it digestible. "If you're going to show the board a slide, try to tell your story on one page - you never know how much time you'll have with them."
So, let's break these down a little more.
Avoid technical talk
When executives ask about security, they're not asking about the technology you're using to protect the business. They don't - or shouldn't - get so deep into the weeds that they care about the difference between LogRhythm, Splunk and Rapid7.
Rather, the board are looking for "a level of assurance that the business has the right controls in place."
"You have to be able to talk about security posture in terms the executive team care about," says Paul. "The impact on revenue, the value of an investment, and risk vs cost."
To make this information easy to communicate, he advises ranking each business group - finance, marketing, sales, etc - based on their on their risk and value.
"If you want to make it a business conversation, business has to be involved in how you're measuring [risk]."
A major upside to the above approach is that it is "not an IT conversation, but a business one."
Where IT gets involved is in analysing each group's risk exposure, then plotting the cost or amount of security funding they are getting.
Support claims with data
Most companies today measure risk by looking at outcomes and probabilities. This is "more art than science," says Paul.
Instead, try to choose outcome-driven metrics based on very specific measures. For example, part of your business continuity risk can be determined by analysing your off-site compute and storage capacity.
"If that capacity is only 20%, that's a critical risk."
Presenting managers with real data makes it impossible to dispute and hard to ignore - and as a bonus, it gives business leaders the insights they need to make decisions.
"Your job is not to say 'Yes' or 'No', but to stop the board saying, 'You didn't tell me [about the risks].'"
Ultimately, all risk decisions rest with upper management, no matter how much you might wish otherwise. You have to be able to work within their level of tolerance.
"If you ask for £1 million and the board only gives you £250,000, they are making a risk acceptance decision."
Brevity is the soul of success
As a CIO (or CTO, CDO, CISO, etc), you'll have access to plenty of technical metrics. As important as they are, they don't necessarily translate well to the board.
"It's about reframing how we present information," Paul points out. "Try to tell your story on one page - you never know how much time you'll have with [the board]. But again, dress it in terms of business goals and how risks and threats will impact them. What is the risk profile? What business goals are at risk?"
For too long, IT - and especially security - have been the most maligned line of business. They cost money, they add nothing, they get in the way of important work, and worst of all, they just don't speak the same language as everyone else.
Following the steps above can help you change that perception and ensure the executive team fights in your corner.
As Paul says, "If your highest-performing sales rep comes to the CEO and demands that IT ‘takes that crap off my computer,' will they make a demand of you? Or will they explain why those policies and tools exist?"
Computing has partnered with the MES IT Leadership Network, supporting and serving the needs of IT professionals in midsize enterprise organisations by providing exclusive content, resources and networking opportunities. Click here to join the Network today, for free.