I once had a meeting with my CFO to talk about security. As you might expect my goal for the meeting was to start to get her buy-in on our security business case. Just a few minutes into the meeting she stopped me and said, “Frank, we get it. We know that cybersecurity is important.” I was beginning to feel that this meeting was going in the right direction. Then she said it. The dreaded “B” word.
She continued, “But, what we want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’”
These are the questions that Boards and C-level executives are asking of their security leaders. How can you get ready to effectively answer these questions?
One quick note before diving in… I’m co-hosting a webcast next week with Verodin CISO, Brian Contos. Don’t miss it! (register here).
Here’s a video preview that highlights a few core concepts that I’ll be discussing in the upcoming webcast.
1) Choose a Framework Select an industry recognized framework that will help you frame the work of your security program. Using a framework like the NIST Cybersecurity Framework helps simplify the complex world of security in a way that can be more easily consumed by business leaders.
2) Measure Your Maturity It’s not enough to simply use a security framework. As you implement various controls make sure to measure maturity of your key security capabilities. That way you can show progress over time.
3) Benchmark Against Industry Peers In an ideal world you might be tempted to achieve the “best” security possible. The reality though, as my CFO pointed out, is that the amount a business should invest is relative. As you improve your maturity identify how you are doing in relation to your industry peers as a point of comparison.
4) Set a Target If you happen to be the on the high end of the maturity spectrum you may decide to compare yourself to another more mature industry as a stretch goal. Even if you stay within your industry for comparison purposes make sure to set a maturity goal for your security program.
5) Measure Your Effectiveness Even with a framework, maturity model, benchmark, and goal in place there’s still one big question remaining. Are you utilizing your limited resources effectively? As you deploy, maintain, and operate your security program make sure you show that people, process, and technology are actually working as intended.
Do these five things and you just might be able to head the dreaded “B” word off at the pass.
About Frank Kim
Frank Kim is the founder of ThinkSec, a strategic security consulting and CISO advisory firm, and is an advisor to Verodin and other security startups. Previously, as CISO at the SANS Institute, Frank led the information risk function for the most trusted source of computer security training and certification in the world. For more, visit frankkim.net.