Is exec management listening or are we not using the right words?

Posted on September 21, 2010 by Will Tang

Recently, CIO Magazine published an article on Technical Jargon to avoid.  I found it curious that some of the jargon they mentioned  included everything from common terms such as firewalls to complex issues such as phishing.

When I speak to executive leaders about security and how they perceive their knowledge about current issues, the responses are usually, “We have people that take care of security” or “Security is not critical to the business.”

If CEOs, COOs, CFOs, and the rest of the C-suite don’t understand the risks and potential business impacts of today’s IT environment, what is going to happen when the business moves into public or private clouds?  Or when customers and employees conduct business on smart phones?

So how can we effectively navigate the C-suite and effectively communicate the security risks without overwhelming our audience?

Here is what has worked for me:

  1. Stop talking only about security using the jargon surrounding it. Instead, start talking about protecting revenue,  operations, intellectual property, customers, and assets—and by assets, I mean business assets, not IT assets.
  2. Think about the company’s strategic goals and where security can help promote that strategy and protect the investments.
  3. Understand and communicate security’s costs and benefits.  Demonstrate that you can minimize risk while minimizing costs at the same time.

To summarize these concepts in C-Suite terms, we need to convince management that IT security should be included as costs of goods sold rather than just a small operational or one-time expense that the perception of compliance sometimes is.  In other words, the cost for security should be categorized as one that is required for doing business.

My previous blog entries have a few examples of how to apply these principles when presenting to  the C-suite staff.

Posted in Uncategorized | Leave a comment

Security Metrics… So What? – Part 2

Posted on July 26, 2010 by Will Tang

“What did you do with the money we gave you last year?  Why do we still need to fund security?  What benefit will we get if we give you more money this year?”

Does this sound familiar? 

It seems to me that those questions are repeated in every executive meeting or annual board review.  Answering these questions is even more challenging, given that the people asking those questions may not understand the importance of security and that security professionals may not have the tools to easily, quickly, and effectively summarize the need for security.

My proposed solution to answer those questions and help explain security in a more straightforward way is to use a simple and visual risk trend chart.  However, unlike other risk heat maps or charts, this chart shows trending—or a change in risk over time—by animating the results of a NIST Risk Management Framework (800-30) methodology.  It also helps security professionals to relate security to what executive management cares about. (I bet revenue is important to them).

If you haven’t read the previous blog that explains this graph, here’s a quick summary:

  • The circles represent different organizational business units, applications, OS platforms, or whatever makes sense to the business.  In this example, the circles represent organizational business units such as the “LA office,” “Legal Department,” or “data centers.”
  • The circle size can represent revenue, number of customers, number of patients… anything you need to measure.  In this example, the size represents the revenue generated by the corresponding business unit.
  • Red, Yellow, and Green represent High, Medium, and Low risk based on the NIST 800-30 risk matrixes/thresholds.

Animation can’t be shown using  a static web site, so these graphs show trending (or how the circles move) with an  “arrow” indicating the direction the circles are moving.The following graph shows a “snapshot” of risk at a specific point in time. For now, let’s focus on the blue circle and compare risk and revenue over time.

In the next example, we have hidden the other business units. This graph shows the blue business unit at medium risk with a small percentage of revenue in Q1.

In Q2, we can see the risk is still within the yellow or medium level.  However, the size of the circle has increased to represent a larger percentage of revenue generated by this BU.  The “story” to executive management can be that security has mitigated high-risk items, and, overall the security of this business unit may be at an acceptable or reasonable level, especially when considering the increase in the business unit’s revenue. , It is still a relatively small percentage of the overall revenue generated by the entire company.

In the current quarter, there are significant changes, as shown below. We have a significant increase in revenue, but as a result, risk has gone up.  This could happen for many reasons: perhaps the number of online customers has increased with the new web application features, or demand has outgrown IT capacity and new infrastructure is being built without appropriate security, change controls, or patch management.

Going back to the opening questions from executive management about the funding and benefits of security, these charts can help tell a basic story:

“IT Security has been working to contain risks to an acceptable level for the business.  However, as you can see from the growth of customers and revenue in the blue business unit, we need to increase security resources to protect the increased revenue generating activity.  IT systems are deployed or configured quickly to meet customer demand, but they are not properly secured.  We need to protect those IT systems that now generate 20% of our revenue; otherwise, there is an increased risk of losing that revenue if the IT systems in that unit are compromised or hacked.  There are also potential issues of customer data loss or damage to the corporate brand.”

Now ask yourself… Is this a better way to communicate security risk, benefits, and activities?  Is this approach more effective than the usual “we had 40,000 anti-virus alerts and our scanners reported 30,000 vulnerabilities but we fixed the major ones?” When you can tell the security story in a way that’s effective for your audience, you have a much better chance of getting the tools—and money—that you need to stay ahead of the IT security curve.

Posted in Cost benefit, Security Metrics | Leave a comment

Security Metrics… So What?

Posted on July 12, 2010 by Will Tang

Which statement is more effective? 

A. We have approximately 2,300 CVSS severity 4 or 5 vulnerabilities on our 400 Windows Servers. 

OR 

B. The IT systems that generate 28% of our revenue have critical security vulnerabilities. 

In my experience, the answer is B.  Why?  Because it relates security to something the business and something that the executive leaders care about: revenue. 

Notice that there isn’t a single security metric in statement B.  However, I consistently hear about the push to gather and analyze security metrics.  While there is nothing wrong with measuring and evaluating security operational effectiveness with metrics, I believe the time and effort could be better spent on making security more relevant to the business. As CISOs, Directors of IT Security, and security leaders, isn’t our job to communicate and reduce risk?  If so, which of those earlier statements do you think will convince executive managers or IT administrators to allocate resources and time to mitigate those vulnerabilities? 

Let’s take a look at a real-world example. The graph below represents a NIST-based risk methodology where business units (BU) are represented as circles.   However, the size of the circle represents the percentage revenue that each one of the business units generates.

Give it a shot next time you have to present to executive management or business unit leaders: rather than go through the usual metrics of vulnerability counts, compliance exceptions, and virus incidents, show them something like this and see what the reaction is.

In my next blog, I will take this notion of matching risk to revenue one step further.  I will show how to animate this graph to show how risk is reduced over time.  That’s right: the circles will move over time to show changes in risk based on technical vulnerabilities, security controls, asset impacts, and the other variables for the NIST Risk Management Framework.  We can also have the circles represent any business metric we want—such as the number of customers, patients, or even credit card data.

Posted in Security Metrics | Leave a comment