Security reporting – are you focused on the right things?

For security reporting, CISOs have to provide their boards with information around risk. For many CISOs, this will normally involve diving into what issues exist, how they are being managed and what steps the team will take in the future.

However, many boards find the technical details unhelpful at best, and distracting at worst. Yet this insight is necessary if you want your board to make informed decisions.

For many CISOs, the dashboard is the most common way to show security status. It should provide an overview of how the security function is performing and alert the team to problems. However, many dashboards fail to deliver what the company’s leadership team actually needs to know.

Green light fever

The big problem around security dashboards is that perception can be harder to manage than reality. Security teams are busier than ever, tracking ever more vulnerabilities, attack patterns, misconfiguration problems and AI issues.

The problems may also be unevenly distributed. Some business units can follow aggressive patching cycles and high-tempo operations. But that can still leave their risk scores stubbornly high.

In response, I have seen teams cherry-pick the networks that they look at in order to keep the dashboard as “all green.” Other teams provide so much technical detail that the board cannot sustain their interest or see any value, despite budgets being in the millions.

Alongside this, many dashboards use heatmaps to display the level of risk. The visual language of green as good and red as bad is universal. But at the same time, this simplifies the problem too much and lacks mathematical validity. How can you add a “Red” risk to a “Yellow” risk and derive a meaningful sum for the board?

Furthermore, without a business context, these tools fall victim to the “Silly Server” paradox. A neglected, non-revenue-generating test server laden with bugs creates the exact same statistical noise as a highly targeted, internet-facing payment gateway.

So how can you show what you are working on effectively? It requires a rethink of what information you are trying to provide and what decisions you want to influence.

Putting a figure on Value at Risk

Going back to first principles, why do we need security? A company succeeds when the leadership team decides where to concentrate, where its products or services can win in the market, and how to back those decisions with investment. Without effective security, companies cannot function. Yet good security does not automatically lead to stronger performance in the market.

Instead, company leaders need insight on what risks exist and how likely they are to result in unacceptable losses. Those losses might be direct, like stopping the ability to trade or theft, or due to more indirect problems like fines for non-compliance. Each issue might have its own level of impact as well, leading to a calculus that can define Value at Risk.

For security leaders, communicating that Value at Risk figure should be the starting point. It might be hard for executives who are used to absolute precision to embrace this. They fear Value at Risk is a woolly figure based on rough estimates. However, board teams are highly accustomed to dealing with risk and making decisions under uncertainty.

Risk quantification is a CISOs friend

CISOs can look at risk quantification as a way to deliver information to the board in a format that helps them. It gives them a better understanding than dashboards or heatmaps.

Rather than a simplistic approach, it puts monetary values against potential risks. This ensures that the board can understand the level of business impact when they are making a decision. Where capital is at risk, boards are more likely to pay attention.

This is not an exact science as yet. The “unknown unknowns” or black swan events that can’t be predicted still have to be managed. New IT issues or software vulnerabilities can be understood quickly. They can also be added into the risk pipeline based on how much business impact they could have.

Rather than trying to make these models perfect from the start, the ideal approach is to get started and then iterate. Over time, new risks will be found that represent significant threats; older issues might become more serious based on other developments. A monetary value for those issues linked to potential revenue loss or capital at risk makes it more likely that the board will take critical issues seriously.

Value and risk

The ultimate benefit of this automated, quantitative approach is that it puts a monetary Return on Investment value against your current security controls. It allows you to demonstrate how existing processes manage and reduce risk over time. It is a far more effective method to get board support than a dashboard of green lights.

When those existing controls are not enough to reduce risk to an acceptable level, you can use this calculus to demonstrate why more budget is needed and where it will be used to protect business value.

Use simple frameworks to deliver information, like the “What? So What? Now What?” approach. It makes it easier to communicate business risk. This shifts the focus away from the minutiae of external threats. It places it firmly on what the team is actively doing to reduce risk right now.

The metric of success is no longer “vulnerabilities patched,” but the Risk Burndown Rate. This is the exact efficiency at which probable financial exposure is eliminated.

Dashboards still have their place in operational environments. They provide a fast response to meet service levels. This can be the difference between happy clients, or serious conversations. For board teams, using Value at Risk to display monetary impact is a better approach to flagging what risks exist. It shows what is being done to deal with them, and what needs to change over time.

For the really savvy teams, it can then lead to conversations around how to improve the speed of fixes or reduce the number of issues by improving burn-down rates around long-term issues. Getting the right information to the board around risk is an essential skill to develop. Ditch the dashboard, and put your money where your mouth is.

---

Qualys, Inc. (NASDAQ: QLYS) is a leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The post Security reporting – are you focused on the right things? appeared first on Enterprise Times.