Sometimes I spend time on the Twitterverse watching what is bouncing around in the echo chamber. Occasionally something builds up some feedback and catches my ear. Recently I saw some posts from a particular tweep (who shall remain nameless) and he was on about “when was the last time you spoke to your executives about security?” and “do your executives understand the business aspects of security?” He was posing questions but were light on answers, I suppose because he wanted you to contact his company and get some of those answers. That’s his prerogative, but myself, I prefer to treat twitter like a giant open conversation not a marketing channel.
Nevertheless it got me to thinking. Do executives understand the business aspects of security? I think that is the wrong question and has things the wrong way around. Rather the question is “do you know the business aspects of your security decisions?” Can you communicate them to people up the chain of responsibility? Can you connect the dots from what you are trying to do, to what business leaders are concerned with?
Hold up there, what exactly are executives concerned about? In my opinion we tend to get tied up in knots about this. I don’t think it’s all that mysterious. We could just ask them, in fact that’s what Chris Wysopal did. He shared his findings at Sector 2015 in the CISO Survival Guide presentation. Here is what he found execs are concerned with:
- Brand damage
- Breach costs, readiness, response
- Corporate espionage
- Risk posture and exposure
This immediately raises another set of questions to me: how do you communicate such things? What are the metrics that would be interesting and helpful?
At the highest levels there is cause for hope. The OpenFAIR framework gives us a way to conceptualize all of the above 4 things in a coherent fashion. It also allows us to communicate it in terms of likelihood and dollars. Metrics don’t get much clearer than that.
Let me connect the dots for you. You have a hunch that a SIEM would help (the actual control isn’t important for our discussion). It’s an expensive bit of kit, to say nothing of the care and feeding, and staff training. How can you justify that it’s worth it? Taking a control first approach, while our typical approach, is kind of backward. Instead we are going to run two risk analyses i) as a baseline without the SIEM, ii) as a comparison with the SIEM and how this additional control and all that it does can reduce the risk. This ultimately should translate into a reduction in the probability of a breach and/or a reduction in the costs of a breach. Is the reduction enough considering the cost of the SIEM? That’s a business decision and one that “the business” can now make since you’ve boiled things down into a language that they understand: probabilities and dollars.
Written by: Jason Murray, Manager of Professional Services, NCI
Follow Jason on twitter @andrecrabtree