Like all other business leaders, chief information security officers (CISOs) could find themselves on the unemployment line if something on their watch goes seriously sideways.
But what if CISOs simply aren’t demonstrating enough business value?
Now with a possible recession looming and companies cutting costs, proving cybersecurity programs are good for the business has become vital to protecting budgets and jobs.
That’s why performance benchmarking is becoming mandatory for cybersecurity leaders everywhere. Indeed, industry analyst firm Gartner predicts that by 2026, half of all C-level execs will have performance requirements tied to risk built into their employment contracts. Such incentives tend to focus the mind.
Pressure builds for cybersecurity benchmarking
As executives increasingly face risk-based performance metrics, CISOs will almost certainly feel more heat to quantify the success of their programs in meetings and reports. That means jumping out of their tech-oriented comfort zones and putting more priority on business issues like improving innovation, investment outcomes, and cybersecurity maturity.
“CISOs struggle to talk to the C-suite because what they want to know is, ‘Am I safe? Am I secure?’” says Frank Dickson, group vice president of security and trust at market intelligence firm IDC. “What CISOs tend to do, however, is report a bunch of activity-related features that don’t answer those questions, which annoys CEOs.”
What CISOs need to emphasize, Dickson says, is how their activities will reduce risk. To that end, performance benchmarks enable leaders to monitor progress toward risk reduction and demonstrate how their programs stack up against internal goals as well as their peers. Moreover, they let CISOs capture and present business-relevant data.
“Boards and management teams are much more involved in cybersecurity these days,” says Lou Celi, CEO of ThoughtLab Group, a global research firm. “They want to make sure they’re not falling behind the eight ball. They don’t want to be doing less than others.”
Time to pick a standard
Numerous industry and association IT security frameworks can be useful for benchmarking, including: the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), the International Organization for Standardization (ISO) 27000 series of standards (ISO 27001 and 27002 are common for cybersecurity), and the Information Security Forum (ISF) Standard of Good Practice for Information Security. Most organizations and tools use these kinds of frameworks.
Boards and management teams… want to make sure they’re not falling behind the eight ball. They don’t want to be doing less than others.
Dickson says all these frameworks can be worthwhile to examine but notes their applicability and utility can vary by industry. He says it’s a good idea to research and compare them and then “pick one that works for you.”
If properly implemented, programs aligned to cybersecurity benchmarks can reduce the probability of network breaches. In fact, a recent ThoughtLab survey of 1,200 large companies found those that are further along in applying the NIST Cybersecurity Framework outperform others on key metrics like time to detect a breach (119 days for advanced organizations vs. 132 days for everyone else). Leading organizations also had fewer annual material breaches, according to the report.
Those are the kinds of stats boards and C-suites love to hear. They indicate an organization faces a lower risk of attack, which helps communicate to the public that it is protecting not only its own data but also the data of its customers and partners.
With a lower likelihood of being seriously hacked, a company is also far more agile and able to innovate, which can create competitive advantage.
“If you have your house in order and can display a degree of agility, you can show leaders you’re driving a ‘shift-left’ mentality,” says Paul Watts, distinguished analyst with the ISF. “This is where you are taking a proactive stance for security in your organization against people, processes, and technology. It means you can pivot and do things in quick and innovative ways. You have the agility to try new things.”
Approaches can vary
Still, gathering relevant data that shows how an IT security team is mapping to key standards can be tedious and tricky. Not all organizations do this particularly well.
Many, for example, still take a DIY approach. They select a standard, assign staff to collect performance data from around the organization, and plug that data into spreadsheets. The trouble is that data gathering can be extremely time consuming, and once the final results are entered, they’re often outdated. As a result, reports to the board or C-suite may not be as beneficial for business decision-making.
Another approach is to hire a consultant to do a cybersecurity benchmarking analysis. This provides immediate resources and expertise that the CISO’s staff may not possess. And in all likelihood, these outsiders may have a more update-to-date feel for the changing cybersecurity frameworks landscape than in-house staffers. They can give companies a general idea of their security postures, but like the DIY approach, these are snapshot-in-time assessments that may not provide the most relevant context for senior leaders.
A third approach is to invest in third-party performance benchmarking tools that can look across an enterprise, collect relevant data at scale, and report back in real time. Real-time tools ensure results aren’t stale on delivery.
Plenty of benchmarking tools are available. Some vendors, for instance, have released tools featured within their products or sold in tandem with them. The best tools allow organizations to compare their IT risk metrics in real time against industry peers and immediately fix issues from the same console. Associations such as the ISF also provide free cybersecurity benchmarking tools to their members, while groups like the Security Industry Association (SIA) offer useful benchmarking studies. Gartner also plans to provide its own benchmarking tool.
The bottom line: Organizations have plenty of paths for benchmarking performance. Combining several approaches can be useful. In fact, it’s advisable, because benchmarked information is sometimes based on small, unrepresentative sample sets. Mixing internal and external data, therefore, can provide a broader and more balanced view of an organization’s progress against metrics.
If you have your house in order and can display a degree of agility, you can show leaders you’re driving a “shift-left” mentality.
To make sure metrics are aligned to the needs of the business, CISOs should have ongoing conversations with board members and senior leaders to understand changing priorities. The ISF’s Watts says these conversations should assess how much risk leaders are willing to stomach over time.
“[Firms] have different appetites for risk,” he says. “The embryonic startups are generally willing to take a bit more risk, as they’re trying to grow and are willing to trip over their shoelaces. Larger organizations, especially those that are highly regulated or held to account by investors, tend to be more risk-averse.”
Watts adds that CISOs should work with senior leaders to determine what level of cybersecurity maturity an organization should aim for and agree on paths for turning that position into competitive advantage.
Brogan Ingstad, vice president of risk advisory at Teneo, a global CEO advisory firm, says CISOs should also make sure they’re evaluating actual cybersecurity metrics. Some leaders, he says, believe operational concerns, such as head count and budget, count as cybersecurity metrics. While important from a management standpoint, CISOs should be more focused on demonstrating an organization’s progress against security-specific benchmarks or goals, he says.
It’s also important to avoid boiling the ocean with metrics, says IDC’s Dickson. Often, CISOs think they must chase 10 or 20 categories of metrics, when they’d be better off targeting just a few. Dickson recommends three: security efficiency, risk, and business value.
“In security, a lot of times we get caught up in trying to be perfect,” he says. “Perfect is the enemy of good, and with metrics it’s OK to be good enough.”