Thursday, October 27, 2016

How CISOs Are Really Measured

Modern CISOs have one of the toughest, most stressful jobs in the world. There are far more risks to businesses today, then there were ten years ago, and many of these new and evolving risks come from the cyber world. Business risks used to be largely limited to competitors taking over portions of the market, failure to deliver on expectations of customers, or rising operating costs; things a business can control. Today however, there are adversaries who are actively trying to disrupt and break business for their personal gain. As we've seen in countless examples, a breach or a successful disruptive attack by a malicious actor or group can cause financial damages to the impacted organization in the ranges of millions to tens of millions of dollars. There are also some nation states who actively infiltrate organizations, steal intellectual property, and disseminate it to growing businesses within their nation, creating international competition or potentially locking international businesses out of global regions. Additionally, as news of cybersecurity issues has now become mainstream, general awareness among both consumers and providers has grown. Assumptions of data security are being replaced with fears of personal or corporate damages followed by regulatory controls and mandates, which means effective cybersecurity practices among providers have become not only a competitive advantage but also a requirement to do business. It's on everyone's mind, and must be addressed.

A single successful cyber incident can put a corporation out of business, whether that be through loss in customers caused by a loss of their trust and willingness to do continued business, through the inability to operate due to a disruptive attack, through being denied access to industry as a result of non-compliance with regulatory standards, or through financial damages sustained by an organization through the remediation and post-incident activity. This is the weight on the CISO's shoulders; the viability and longevity of the business. Product teams have to produce awesome products. Marketing teams have to reach customers effectively. Human Resource teams have to ensure the right talent is attracted, hired, performs, and is retained. CISOs have to protect the business and enable it to function.

In addition to the pressure of potential damages and negative business impact, the CISO also has to manage the fact that the cybersecurity industry is constantly changing. That means they have to be constantly learning, and refreshing technology, process, and people. Adversaries are constantly refining their trade craft to find new ways to break into maturing defenses, and the entry into the criminal underground is becoming easier and easier. The rise of successful threat activity has attracted more and more criminals and has resulted in the monetization of the development, distribution, and use of tools and processes used to perpetrate cyber intrusions. There are now criminals who no longer hack, but instead make their living developing and renting access to tools that others can use to hack. The better they can make their tools, the more customers they will have. In addition, regulatory controls and customer expectations continue to change, forcing CISOs to have to continually develop and implement new controls to satisfy these expectations, so that the company can simply do business. The entire CISO world is in a constant state of change, and the information security program must keep up. This is unique from almost every other industry where it's common for problems, materials, costs, processes etc. to remain static for decades at a time. High-tech and health fields are unique in this way.

So not only does the CISO have to keep data safe to protect the business, they have to also actively thwart the adversary which is continuously growing in numbers and sophistication, but they also have to continually adapt to the shifting demands of customers and industry. They have to execute well, learn how to execute differently (just after they finished), and manage the transformation from what was effective yesterday, to what is needed to be effective tomorrow. Ready to apply?

Given this, we might assume that the CISOs measurement of success is in ensuring security incidents do not happen. We might naturally think that the CISOs annual performance goal says "make sure there is no breach," and at their annual performance review, the CEO looks at the news headlines and if their company name wasn't listed for a security related issue, then the CISO get's his bonus. We would like to think that the Information Security organization led by a CISO is there as sort of the protector and guardian of data, preventing massive losses that could come from data breaches, brand damaging events, or disruptions to service delivery. Well, we are, sort of. However, preventing losses isn't really what CISOs and their support organizations are measured by. Yeah, really. Why? Well first because you can't measure that, and second because that's not a return on investment. 0 breaches means equalization and investors aren't interested in keeping the status quo. A CISO can't prove success simply bad things didn't happen, nor is it sufficient for a CISO claim success based on the number of attacks thwarted. Those two indicators of doing security well don't translate to what CEOs and investors care about. What CISOs are measured by, is how effectively they contributed to revenue and profit generation. Unfortunately, this usually means CISOs are primarily incentivized to do something other than the things security practitioners are most passionate about. At least not for the reasons they are passionate.

The hard reality is, a CISO will have to say "no" to implementing optimal data protection, if doing so negatively impacts revenue or profit in a measurable way. They have to. Their mission is data protection to drive revenue and profit generation.

If you are a security practitioner, I'm sure you can relate to a time where you defined, selected, or had the opportunity to implement some new security capability or product, only to learn that you can't enable or leverage all the cool features that you know will keep data safe. Right? The CISO was probably the one who brought you that bad news (or it trickled down via your manager). You probably assumed that they just didn't understand the problem or the tool, and that they were simply making a "bad" decision to stretch the limited budget available to them. You probably thought they were being shrewd and that the business leaders just don't understand information security.  Well...maybe that is the case. More likely however, your CISO made a calculated decision to leverage this opportunity to improve their value to the business. CISOs don't usually sit back and say "yeah, I know we could completely mitigate that risk, but I just don't want to." They think, "if I spend those resources there, on that issue, which could potentially have that minor impact, if these certain things happen, then I can't use those resources over here for that other thing that could help the x product team unlock that new customer sector." That's more likely what's going through their head.

They aren't saying "no," as much as they are saying "if I do that, then I can't do this, which is more important to the business." Security practitioners like to be purists and claim it's all about the data protection mission. The reality is, it's all about the business, otherwise none of us would have jobs, and the CISO is part of the business leadership (or should be).

You see, the CISO role is revenue AND profit generating in many cases. Getting products into customers hands generates revenue. Profit comes from the margin between revenue and cost. However, CISOs aren't just about cutting costs to maximize revenue and they aren't just a lever to compress operating costs. This is where many business leaders and investors get it wrong too. Businesses identify opportunities for growth based on complex calculations, and they define their business strategy according to where and how they believe they can win business, generate, and grow revenue. As one example, I recently learned that a CEO was evaluating two different classes of potential clients; small and medium businesses, and enterprises. The potential revenue to be captured vs. the cost of winning the potential business caused the CEO to choose one class of customers, and to intentionally exclude from business strategy the other. However, in order to reach that chosen segment that the business growth strategy was dependent upon, the company must show compliance with regulatory standards and customer expectations for information security. In order to secure the profit promised to investors who are backing the business, those new customers have to be engaged in the right way and within a certain operating cost or ratio of cost to revenue. That means in order for the business strategy to be effective, the CISO now has to build an information security program that is effective, is compliant, and doesn't exceed operating cost goals. If the CISO fails, revenue and/or profit goals will not be realized. In this sense, they are enabling AND protecting revenue and profit expectations.

You see the business can't even engage the potential customers until the CISO can ensure the information security program satisfies regulatory compliance. That means revenue is unattainable without the CISO. Further, customers won't sign the deal until they have an assurance that the information security program meets their expectations and is effective. That means revenue won't start without the CISO. Additionally, revenue sustainment for that customer or sector is dependent upon the continued performance of the information security program (no breaches and adaptive to changing customer requirements). That means if the CISO fails, revenue will be lost or growth opportunities will be missed. Finally, if the information security program doesn't remain cost effective, profit goals cannot be reached. The more effective and efficient the information security program, the more revenue is possible, and the wider the profit margin can be.

That means the company's overall revenue and profit goals are dependent upon the CISO, which is a shared responsibility among all the executive staff. The idea that the information security program is simply a cost to do business that must be controlled, represents a mindset that doesn't understand how this works.

Let's say a customer comes to a business and says, "we would buy your product if it did x." Your product team would consider development of that capability, a revenue generating act because doing so captured that business. Product and sales teams are viewed generally as revenue generating. If the customer also says, "and we won't buy your product unless you can ensure the data we give you is secure." That becomes a requirement that the information security team must deliver along with the product in order to win the deal. It's no different than a customer saying "I want feature x from your product." They want your product to include functionality and security. Perhaps the security they seek isn't within the product itself, but rather within the realm of the customer to provider relationship. Either way, it's a customer requirement that must be met in order to capture the revenue that comes from the deal, and it's a requirement that must be sustained to maintain the customer relationship in good standing, just as continuous service delivery is.

I can tell you dozens of stories of business to business or consumer to business relationships that were dependent upon the success and confidence of the information security program. I'll tell you right now that if customers lose trust in a product or company for security reasons, revenue and profit will fall. That means effectively establishing and actively maintaining that trust, causes revenue and profit to rise.

Some may argue that information security is just part of the company operating costs just as IT, HR, Legal, and other internal functions. I disagree. I think it was that way a decade ago, but IT, HR, Legal, and other internal functions are not direct requirements from customers; information security has become so. Customers don't often send specific requirements or validation requests to other internal function teams, and regulatory compliance mandates don't usually call out those functions.

So, when it comes to the senior leadership of a company, including the investors and board of directors, the value of the CISO really comes down to whether or not their actions enabled and contributed to revenue and profit. If not, then the program and the person suffer. If so, then the program and the person are rewarded. What specific questions can executives measure CISOs by or what can CISOs use to prove success:

How many customer sales did the CISO directly interact with to help capture?

How many customer sales were won as a result of the information security program? Conversely, how many sales or customers were lost due to problems with the information security program?

Did the information security program successfully remove barriers to enter or maintain market and customer engagement?

Did the information security program operate in a cost effective manner so as to not disrupt the expected revenue and profit goals while securing existing and new business?

Did the CISO effectively lead the business through a security issue that resolved without great loss?

If the executive leadership or board can honestly say, "CISO, because of your efforts, we were able to access sector A, and capture customer Z, and you did so while maintaining a cost effective program," then the CISO has won. If the leadership team says, "CISO, you did a good job keeping costs down which helped us meet financial goals," well that's good too, but a CISO is more valuable than that. If the executive team says, "CISO, you kept us out of the news," well...that's good, but it's also bad, because someone could easily argue that the lack of attackers or attacker interest kept the company out of the news.

The true business value of the CISO can be found in how they directly enable, capture, sustain, and protect revenue and profit. Information security is no longer just a cost to do business and if your CISO can't demonstrate otherwise, then they may not be the right one for your company.

No comments:

Post a Comment