The business value of security: the role of metrics
Illustration: iStock
Share on LinkedIn
Share

The business value of security: the role of metrics

CISO INTERVIEW SERIES — August 2019

Once seen as a barrier to innovation, chief information security officers (CISOs) are increasingly showing how they can help their organizations to achieve strategic goals. In our interview series with leading CISOs on how they not only ensure security but also prove its commercial value, we focus on the critical role of metrics. Other interviews in the series explore the pressure to show ROI from security investment and CISO leadership skills in showing business value.


Featured CISOs:

• Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications

• Becky Pinkard, CISO, Aldermore Bank

• Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group.

How do you present security objectives to the rest of the business?

Brian Hintze: Reputational protection plays a role in that. We will look at projects where we store certain types of customer data or have access to it and think about the risk if we were to lose control of it. In some cases, the reputational risk would be exceedingly high. As an IT services provider, we’re expected to be able to deliver our services in a highly secure manner. If we’re storing personally identifiable information and an attacker steals it from us, the reputational damage would be extreme.

““Brian”
Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications
That kind of breach would certainly leave questions in potential customers’ minds about whether or not they want us to provide their cybersecurity services. So reputation is immensely important to us. As well as holding data, this branch of Fujitsu also provides critical infrastructure components, so there’s a variety of reasons that our customers find it important to be able to trust us. If we fall short, we’re going to lose their business.

Becky Pinkard: As security becomes ever more integrated and mandatory for successfully running a business, leaders are looking to map expectations and desired outcomes in a way that makes sense to the board and the shareholders. This means moving away from the FUD (fear, uncertainty and doubt) messaging that security has grown up on, and maturing into the language of business.

““PaulWatts”
Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group
Paul Watts: I think there’s a trend away from focusing on risk and control alone towards aligning with business performance indicators. That said, there’s still a place for more traditional KPIs regarding security operations and risk management — just not necessarily aimed at the board.

 

 

Are CISOs required to translate their data and adapt their language so that they can be better understood by business leaders?

Hintze: I do think we need to tailor our language to the audience, but it can be a struggle — and I know other CISOs struggle with this a bit too. We compile monthly reports around enterprise security intelligence metrics. Our experts on the security team do look at them but even they can have a difficult time understanding what the data is saying.

““Becky”
Becky Pinkard, CISO, Aldermore
Pinkard: As security continues to mature from a very tactical, response-driven engagement type to one that is more proactive and strategic, CISOs are also working on maturing their delivery style. The challenge is doing this at the same pace as the ever-evolving threat landscape, using language that makes sense to the business while leading their (generally) resource-lean teams. Short answer: it’s a work in progress — and some days are better than others.

Watts: CISOs recognize that telling their board that they stopped 100 phishing incidents is great, but answering the “so what?” question in terms of the impact on the business is a much better story to tell. It’s also good to have some recommendations up your sleeve to push the investment conversation along.

See the other articles in this CISO Interview Series on Business Value of Security:

The challenge of showing ROI from security investment
The leadership skills CISOs need to demonstrate the business value of security

• Download a free report on the Top 10 Cyber Security Predictions for 2019

First published August 2019
Share on LinkedIn
Share

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy


    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.


    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy


    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy