What metrics do CISOs need?
It’s a question I hear daily when I meet with CISOs and CIOs from some of the world’s best-known organisations across finance, retail, aerospace, media, telecom, consulting and many other industries. Wherever our conversation takes us, the underlying issue is one of confidence. Is the data current, complete and in the context of the organisation and do my peers in risk, compliance and operations tell a similar story? If they aren’t, shouldn’t they be comparing notes? And how did we come to accept less than 100 percent as an “acceptable” benchmark for anything, whether patch compliance or another critical IT function?
I’ve been sharing Tanium’s 2019 Resilience Gap study with many of these CIOs and CISOs, along with IT directors and other leaders in adjacent roles related to overall IT performance. CIOs and CISOs often battle to balance two core business requirements: system uptime (availability) and effective security (patching). As the Resilience Gap research underscores, the latter often falls down the pecking order thanks to legacy concerns regarding deployment efficacy, coverage and appropriate reporting.
I share this data with CISOs and they nod, sometimes with a sigh. One CISO recently told me that his team reported 95% compliance across endpoints, and I asked him to clarify what that meant. That’s the metric he provides to his CIO, he said, who includes it in his regular reporting to the CFO, CEO and board of directors. But the CISO had no precise way of knowing how many endpoints, managed or unmanaged, that 95% was referring to, save for a relative approximation. This is a hard thing to admit, but it happens daily. Tanium’s study holds that more than 80% of CIOs and CISOs have refrained from making an important security update or patch – sometimes more than once – due to concerns over the impact to business operations.
How can we manage our risk if we don’t know how much risk we have?
It isn’t as though we’re resisting progress. We have asked our CISOs and technical leads to think beyond the traditional aim of their jobs. They must manage the IT estate, yes, but use their knowledge and expertise to drive digital transformation, strengthen the overall security and resilience posture of the organisation, make IT an enabler instead of a cost center, all things that we’ve been hearing for years. But we look at operations and cybersecurity primarily in terms of physical or technical architecture and accept certain limitations when it comes to visibility and control. That’s not helping us having a better business conversation. How can we manage our risk if we don’t know how much risk we have?
Here’s a common scenario that plays out in executive meetings all the time, though especially this week given the news around CVE-2019-0708, the “wormable” Windows bug.
- The CISO is pulled in and asked if the business is vulnerable to CVE-2019-0708. The CISO promises to run a scan but knows that with legacy technology that could take weeks.
- If vulnerable, the CISO is asked how long it will take to deploy the needed patches. The CISO remembers that the last time there was a “break glass” security issue, it took 20 days to achieve 95% patch deployment, but that the number may be closer to 75% because the team isn’t certain how many endpoints it truly has.
- Among those endpoints, it would be valuable for the CISO and for the business to know how many run Windows 8 or 10, and therefore aren’t affected by CV-2019-0708. That data unfortunately can’t be easily found.
These are all issues of visibility and control of the IT estate. Among cloud, digital transformation, compliance, security and all of the things that dominate an IT leader’s time, it’s not prudent to ask everyone to go “back to basics” — the jobs of the CIO and CISO are simply not the same as they were 20, 10, or even five years ago. But if 94% of CIOs and CISOs admit they have to make concessions in how well they can protect their organisations from disruption, we need to have a true grasp on our IT estate, data upon which we can make quality decisions and the ability to remediate, patch and perform other actions without delay.
The CISO and CIO jobs get easier — and the business’ risk is better managed — when we insist on fundamentals. There’s nothing more fundamental to a resilient IT estate than full visibility and control. We’re giving up much more than we realize when we accept limited visibility.