By Lewie Dunsworth, EVP Technical Operations, Herjavec Group
The good news is that the CEO and board are more engaged in cybersecurity conversations than ever before. C-Level members are no longer passing off responsibility. CISOs aren’t educating in the board room as they used to – and trust me, I’ve been in their shoes. The board is asking the right questions and holding their teams accountable. I would confidently say the C-suite is maturing when it comes to security knowledge.
Keep in mind, each player around that table may have slightly different priorities:
– CEO – Concerned with the reputation of the company in the event of a breach. How could credibility, customer retention
and overall stock price/business value be impacted?
- CFO – How will we fund ongoing security initiatives? Are we maximizing the value of our investments today? What risk remains and what risk are we sharing with 3rd parties, including contractors, suppliers, and customers?
- COO – Will any business operation be impacted by the security program or new technology roll out? Is the roadmap on schedule? What is our incident response plan to regain business operation in the event of a breach?
At the end of the day the C-Suite shares mutual concerns about security risk and liability in the event of a breach. How you communicate this and keep them informed is pivotal.
As security becomes a more digestible topic of conversation at the quarterly board meeting it’s imperative CISOs have the proper metrics to measure their progress and the inherent risks that remain. Herjavec Group recommends aligning early with your executive leadership team on a Security Roadmap – then developing key performance indicators (KPIs) that you can report on so status updates and progress measurements are concise, clear and continue to be digestible.
I’ve summarized a sample roadmap below and recommendatemplatewith 5 Key Performance Indicators to keep your security program on track:
- Mean Time To Detect and Contain – Measures the effectiveness of your controls, monitoring and response time. We recommend you compare to the industry average, and compliance requirements to reduce liability concerns.
- Vulnerabilities Per Host – Demonstrates the importance of an effective security hygiene program. Provides the opportunity to highlight your effectiveness in patch management.
- Control Efficacy – Review and critique of security stack to measure the effectiveness of security controls. Highlight current coverage as well as scheduled investments/areas of improvement. Demonstrates your ability to protect the business and highlights any gaps/risks that remain.
- Audit and Compliance–Provideprogressupdate on audit findings and inform on new compliance measures the board needs to be mindful of.
- Key Dates/Achievements – Highlight upcoming program milestones, share key dates that were hit/ missed, etc…
Sample Security Roadmap
Herjavec Group often customizes a security roadmap with our customers to ensure we are on the same trajectory regarding their security controls, planning, and investments. It is imperative we communicate openly about investment, risk, and timelines to set our partner CISOs up for success as they present Security Key Performance Indicators to their respective boards. We typically review these programs quarterly with the KPIs highlighted above in mind.
Year 1: Build Your Security Foundation
- Have you undergone an assessment for your current security program?
- When was the last penetration test performed?
- Have you conducted a full review of your technology stack?
- Do you have a Managed Security Services
Provider partnership in place? If so, what is the status of your onboarding and support?
- Have you developed an Incident Response Plan? Has it been communicated internally and was it amended for any findings from the pen test performance?
Year 2: Have Proactive Measures in Place
- Have you conducted table-top and red- teaming exercises to test the efficacy of your security program improvements over the last year?
- Have you engaged an Incident Response team on retainer in the event of a cyber-attack?
- Have you evaluated how Threat Management could bolster your SOC Operation & Threat Detection abilities?
- What Security Workflows do you have covered through playbook orchestration? Have you evaluated Managed Detection& Response service to advance your use of workflow automation?
Year 3: Implement Workflow Orchestration
- Have you kept up with your security testing? We recommend alternating penetration tests and red team exercises each year unless you have a compliance requirement for pen tests on an annual
- Have you implemented a security awareness program across your employees? When was your last social engineering exercise to determine the likelihood of your organization falling victim to insider threats?
- Have you renewed your incident response retainer?
- Have you augmented the tools logging to your SIEM within your Managed Security Services Provider partnership?
- Do you have dedicated Threat Hunting Support?
- Have you advanced your use of MDR services?
After a three-year cycle, it’s common to refresh the complete program, review the foundation and step back to consider how the business has changed.
- Perhaps M&A activity altered your security priorities?
- Maybe you inherited a mandate to bring security services in house in year two?
- Could be that the introduction of a new compliance measure through your plans off track?
Take time to reflect on the Security Roadmap set out in year 1 and evaluate what is still critical to your success going forward. How has the program performed relative to the KPIs aligned to?
As Bruce Schneier, an American cryptographer and author, famously stated, “Security is a journey, not a destination.”
While the only thing constant in our industry is change, with a strong security roadmap and digestible metrics, you will be well on your way to inspiring the confidence of your executive board and ensuring their commitment and accountability to your organization’s security program.
ASK YOURSELF:
- How would you summarize your security program metrics to your executive team?
- Do you have an aligned to security roadmap and key performance indicators you share on a regular basis?
- Do you have open conversations with your security partners about how they augment and support your overall security roadmap?
About Lewie Dunsworth
Lewie Dunsworth is CISO & Executive Vice President of Technical Operations at Herjavec Group, bringing more than 17 years of information security experience to the role. Prior to Herjavec Group, Lewie held executive roles as the CISO at H&R Block and the SVP of Advisory Services & Managed Services at Optiv. His business-forward approach helps companies create a balanced strategy and effective security program, to adequately protect their most critical assets. He earned his Bachelor of Science degree in Network and Communications Management from DeVry University and a Master of Business Administration, Executive from the University of Missouri in Kansas City. He is also a Certified Information Systems Security Professional (CISSP).