How do you get corporate funding for cybersecurity when it's so challenging to measure and report ROI to your C suite and board of directors?
This was one of the many topics discussed by chief information security officers on several panel sessions we attended Tuesday, Feb. 25, at the RSA Conference in San Francisco.
During a session entitled "Aligning Cyber Security Personnel & Processes," Greg Schaffer, CISO of Circumfrerence Group and a former Fidelity Investments CSO, summed up the dilemma this way: "The fact that you haven't had an incident is not an indication that you are secure. The fact that you have had an incident is not an indication that you're less secure."
How do you find the right metrics to report to your business-side executives? We can draw some lessons from the process outlined by Gary Gagnon, senior vice president, CSO, and corporate director of cybersecurity for Mitre Corp. His team provides a monthly executive-level metric report featuring seven or eight briefing charts. He explained these charts and the information they show.
- External environment: This chart identifies what threat vectors others in the industry are seeing.
- Volume chart: It shows the number of trouble tickets Gagnon's team addressed in the last month. "It's a way of understanding adversarial actions. We spend a lot of time dissecting those trouble tickets."
- Attack vectors: This chart details the concerted attacks Mitre saw in several vectors: Crimewear, Unknown, and Advanced Persistent Threat.
- Bullseye chart: It shows which layer of defense is having the most impact, how far attackers penetrate the security, and which sensors caught them. If an attack reaches the center of bullseye, it means no sensor caught it, and the company has a data leak. (Gagnon quipped that he has not seen and never wants to see penetration to the center.)
- Patch status: "We have an internal goal to patch 90% of our machines within three days. I use this to compare against each of our operating centers to see which are more aggressive than others."
- Click ratio: Gagnon monitors the click ratio of Mitre employees who are targeted more frequently than others. "We spend a lot of time with them on training, trying to understand what drives them to click. My goal is to drive that to less than half a percent." He's very specific about training those who are targeted most frequently. That training is "customized to what they are actually seeing when they're targeted."
- Status of infrastructure upgrades: This chart covers things like "getting XP out of the enterprise, knowing what's going on with the network, and whether we can do this to the fidelity that a lot of these regulators want us to."
Part of the CISO's job is helping business-side executives understand the true nature of cyberattacks. Schaffer described the situation this way:
One of the things we have to get our business leaders to focus on is that cyber is not a hurricane. You can build a building that meets a certain number of specifications to withstand a hurricane. That's not what cyber is. Cyber is like ants inside your house. You can spray and bring in exterminators and do everything right, and the ants will disappear. And then, one day, there's going to be an ant in your living room, and you'll say: "How'd that get there? Squish." Once business leaders understand that the cybersecurity problem is going away when crime goes away, then we'll all be on the same sheet.
During another session we attended, "Storm Advancing: Security Weathermen Forecast the Advanced Threat Landscape," Carter Lee, CISO of Overstock.com, shared his views on getting corporate funding for cybersecurity.
"The two easiest ways to get funding is, one, allow yourself to get hacked," said Lee. "The second way is to use things like PCI regulations" and other regulatory or compliance requirements for your industry, "so you can tell the business exectuvies, 'We have to do this, or we're not going to pass.'"
However, "a more effective way to do that is to show statistics." For example, "the number of malware-infected machines has gone down over time because we've invested in a certain product. If you can replace costs with smarter intelligence, you're always going to be able to find the funding. You just need to justify it like any other business expense."
Ramin Safai, CISO of the investment firm Jefferies & Co., said increased coverage of cybersecurity by mainstream news media has helped raise awareness within the C level and the board. "The Wall Street Journal plays a big role. Just the headlines make the board aware. They come back and ask the CIO, 'Do we have this under control?'"
Golan Ben-Oni, CISO of IDT Telecom, said it's also important for security executives to be aware of business priorities. Security projects affecting the areas of the company that matter most to the business executives are most likely to get funding. "Recognize the areas of your organization that management values most, and concentrate your efforts into those areas."
Are these experts on the mark? Do their observations line up with or contradict your own experience? What other advice do you have for information security and IT professionals looking to keep their organizations protected? Share your thoughts in the comments field below.
— Susan Nunziata, , Director of Editorial, EnterpriseEfficiency.com