Building CISO Relevance Through Metrics

This post is contributed by guest blogger Eric Cowperthwaite.

Building CISO relevance through metricsOne of the frequently repeated phrases that I've heard over the years in the security conference circuit is "CISOs need to earn a seat at the executive table." At this point in the game, I think we need to stop using those terms. Be they CISOs, CROs, VPs of security or whatever other title, security leaders are not outsiders. You don't need to gain a seat at the table or learn the business or align with the business. You're already a part of the business—that's why they hired you. You just need to be relevant to your business.

What do I mean by relevance? The things you are doing that are visible to your peers and seniors in your company need to tackle issues they think are important. That doesn't mean that firewalls aren't important. They are. But that's a tactical issue. The CEO of the company entrusted you with taking care of all that tactical stuff behind the scenes. What makes you relevant to the CEO is to find ways to do things that grow the business, achieve business value and improve security at the same time. So, for example, most businesses are flinging themselves headlong down the road of cloud computing and mobility. You need to be right there with them, helping them do it.

One of the best ways to show relevance and add value is through the visible reduction of security risk. Your company's corporate leaders read the Wall Street Journal and they see what's going on with other breached firms. They want to know that your company is doing the right things to try to make itself less vulnerable. They don't want to hear it in security language—don't put it in terms of systems configuration or CVSS vulnerability ratings.

Instead, when you're in that conversation with other business leaders, put it in the language of risk and metrics. It should be something along the lines of, "We know where our most important data is. And we've figured out where our weaknesses are, throughout our ecosystem. Now we're working on making that better and we are going to be able to show you that we've reduced risk with metrics that make it clear."

That last part is the key. You must have quantifiable results just like every other VP in the company. Every other executive has reports they take to the rest of the leadership team about what they do, with real numbers in it that the other executives can understand.

As a CSO, I have a model for what metrics are appropriate for each level in the company. What a security engineer needs versus what an IT manager needs versus what the CEO needs are all different. Each level can be abstracted to another level. A security engineer requires very detailed information about the number and type of malware infections. But an IT manager who's responsible for desktop engineering really only needs to know some abstraction of that, something like "We have 10,000 desktops and on average we get infected x number of times per month and it takes us x amount of time to clean them up." That's all the IT manager needs and that's what's relevant to him.

Meanwhile, what's relevant to the CEO of the company is at an even higher level of abstraction: "We had a malware incident that was significant and it caused critical data to be exposed to an outsider and here's what we've done to resolve it and prevent future incidents."

Security metrics are not perfect. The numbers you present don't have to be iron clad, but you do need to be defendable. If you are a security leader and you aren't doing it already, I suggest starting with a few metrics that can tell your story better than before. From there you can tune and adjust to make it more relevant than the last time. But the most important part is to start.

For more on this topic, view this presentation I delivered at Gartner’s Security & Risk Management Summit in Sydney last August.