BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for safety engineers and non-technical management to be on the same page.
During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber pro at NASA, addressed the issue of how to encourage security to be seen as an important part of the company for all departments, not just the CISO’s office. It starts, he said, with effectively quantifying that security.
“All of your investments in security, all of your hiring, all of your projects, all of the blood, sweat and tears that security personnel put into the trenches – does it matter? Does it matter? ?” he asked during the presentation, titled “Move the security needle from the security trenches to the conference room.” “You have to be able to answer that” and show why.
Distribution of communications
Security teams often have an uphill battle internally due to a lack of communication between departments. Take, for example, the common misconception among average workers that security is there to make everyone’s life more difficult. Do called it “ivory tower security,” where the security apparatus seems to everyone to be suppressed and prone to issuing a litany of “noes.”
“A lot of our organizations view the security team as a technical roadblock,” Do said. “We’re CIS-NOs, right? They think we sometimes do things in a vacuum, that we don’t understand the impact of the business or at least understand, you know, the pain points of the company. There is distrust of the security team.”
He added, “The more processes and gates we put in place, the more it slows down business and adds friction. Often we don’t weigh enough in our selection of how we are going to design something.
Another communication pitfall exists between the CISO, the CIO and the CTO. All of them are often dragged together in the conference room without being on the same page, which can create the possibility of adversarial or competitive relationships. But it’s vitally important for CISOs to recognize other tech-related leaders as partners and stakeholders, Do said.
“It’s not for the CISO to say, ‘Hey, CIO and CTO, these are all bad things going on in your organization. You have to fix it,'” he explained. “The best idea is to team up together for a presentation to present to the board, so whatever issues we report, there’s a plan of attack, and we can communicate on how we’re doing. let’s get out of this plan of attack.”
Another important strategy is to remind board members that they have skin in the game.
“Board members have what they call a fiduciary duty, which means that if the organization is hacked or compromised and it turns out that the board members weren’t focused on that area of risk to the organization, they can be held accountable,” Do said.
Do encouraged audience members to consider overhead with every add-on or security program.
“Every logo you add to your security program will add a bit of technical debt,” he explained. “You have to consider the cost of setting up new processes, the hours of work, the impact on the business, [and] the cost of the product itself.”
5 key tips for communicating security effectiveness
Do also presented a five-pronged plan for communicating the importance of safety programs to the entire company and how to quantify the return on investment.
1. Know your audience: When trying to communicate safety results, it’s important to use language that board members and business leaders can understand, Do pointed out. This includes using simple rules, such as avoiding jargon and acronyms.
It is also essential to understand that different stakeholders have different perspectives. Security engineers may consider the number of attacks blocked by the firewall as a measure of success, while IT security managers and directors prefer to know about successful attacks and whether systems were able to detect and to respond to these attacks. In the meantime, CISOs would be interested in knowing what could be done to prevent further breaches, while the CEO and board might be more interested in knowing if the organization has lost money, suffered downtime shutdown or ended up with legal liability or brand and reputational damage.
“These are all very different questions, all equally important,” Do said.
2. Don’t start with metrics: It may seem counterintuitive, Do said, but it’s important to start with business goals when defining security effectiveness.
“You can be a hospital, a government agency, a commercial company; whatever you are, you have commercial goals, so start with that,” Do advised. “That’s how we generate revenue. That’s what we provide to the industry. What are the cyber risks to this business, whether or not you’re in the cloud, your user base, your base of customers? Understanding this will inform you of what the metrics should be.”
3. Be quantitative: Once the metrics are set, an organization’s security roadmap needs to be aligned. This means that investment in all projects, products, labor, processes, etc. must be at the service of satisfying these parameters.
“The metrics should be public information, so every team in the company knows what your goals are and that they’ve been approved. It’s not something that security cooks up in the kitchen in a silo,” said noted Do.
It’s important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: “You have to be able to measure it and repeat it.”
4. Remember that security is teamwork: Do pointed out that too often security teams adopt an us versus the world attitude – but in reality, everyone owns the security processes and should be communicated as such, with clear responsibilities and roles for the security in each department.
“Even areas like the procurement team may need to own some of the security processes, for example,” Do said. “It literally takes a village to secure an organization, not just a security team. And by recognizing that, you can avoid confusion about who is in charge, who is accountable, who is consulted and who is informed. critically important because it sets expectations up front with your stakeholders about who owns what.”
5. Associate empowerment with responsibility: Once security roles have been determined and it is clear who is responsible for what, it is also important to hold those people accountable.
“Authorized means, do I have the power to achieve my goal of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to carry out what I am responsible for? “Ne explained.
In closing, Do cautioned security teams to realize that implementing these best practices will be a journey with many hurdles, but it’s important to persevere.
“Always without exception, we all face some level of challenges in this paradigm, which is measuring security, and how do we communicate to our board of directors our direction, our owners, our shareholders, that we are advancing the needle with safety?” he said.
Do added, “Some organizations can transform in no time; they can adopt this model quickly,” he said. “Others will take a year or more because of bureaucracy, politics, process, whatever. But I would say that doesn’t stop you from pushing that model.”