Recently I had the opportunity to lead a panel at the Global CISO Forum in Atlanta, GA. Our panel topic was a discussion on how to avoid FUD in selling security. FUD is an acronym for Fear, Uncertainty and Doubt. The topic focused on CISO’s “selling” security to the board and other C-level executives. Using FUD as a way to sell security is a terrible idea. The whole notion of “the sky is falling on our heads” not only lacks professionalism but destroys credibility in our industry. Here are six ideas we discussed as alternatives to FUD:
1. Independent Risk Assessments. Risk assessments seek to scientifically quantify risk through the analysis of vulnerabilities, threats, likelihood, loss or impact, and effectiveness of security measures. Quantifying risk using established standards – for example ISO 27005 and NIST SP 800-30 – result in objective assessments that can be used to assign priorities and create benchmarks.
2. Security Strategy and Roadmaps. Every mid-size and large organization needs a security strategy. Sharing the security strategy with senior executive lays out the CISO’s vision and risk tolerance. Regular updates based on events in your industry help to highlight issues and gaps.
3. Education and Relationship Building. Information security is often a giant mystery in the board room. The CISO needs to bridge this knowledge gap and develop strong C-level relationships.
4. Talk to Customers and Partners. If you want to gauge how important security is to the business bottom line, get feedback from customers and partners. Use a survey and find out what compliance requirements they care about (PCI, HIPAA) and what they fear the most. No customer wants to see “Data Breach” in your press release.
5. Metrics and Benchmarks. Metrics are a vital tool to assess how well one is performing. A persons’ blood pressure should be less than 120/80, if you run marathons you measure your time, at school we get ranked by a report card. Similarly in cybersecurity we need to ensure:
Metrics are meaningful: Tie metrics to cybersecurity processes. For example the number of detected vulnerabilities.
Metrics are reproducible – Develop rigorous procedures and checklists and objective definitions. For example what is a considered a vulnerability and how we classify a vulnerability.
Keep metrics manageable – Leverage existing automated sources of data and make practical decisions to narrow the scope as needed.
For more info on metrics take a look at NIST 800-55 and NIST 800-100 – section 7 has a good summary.
CyberSecurity is in the news almost every day. But what happens when everyone gets breach-fatigue and the headlines fade? Unless we build a strong foundation, the cybersecurity budget is also going to fade away, without regard for risk. As CISO’s we need to recognize that the best customers for security are also the most knowledgeable.
Trevor Horwitz
TrustNet, CISO