“What did you do with the money we gave you last year? Why do we still need to fund security? What benefit will we get if we give you more money this year?”
Does this sound familiar?
It seems to me that those questions are repeated in every executive meeting or annual board review. Answering these questions is even more challenging, given that the people asking those questions may not understand the importance of security and that security professionals may not have the tools to easily, quickly, and effectively summarize the need for security.
My proposed solution to answer those questions and help explain security in a more straightforward way is to use a simple and visual risk trend chart. However, unlike other risk heat maps or charts, this chart shows trending—or a change in risk over time—by animating the results of a NIST Risk Management Framework (800-30) methodology. It also helps security professionals to relate security to what executive management cares about. (I bet revenue is important to them).
If you haven’t read the previous blog that explains this graph, here’s a quick summary:
- The circles represent different organizational business units, applications, OS platforms, or whatever makes sense to the business. In this example, the circles represent organizational business units such as the “LA office,” “Legal Department,” or “data centers.”
- The circle size can represent revenue, number of customers, number of patients… anything you need to measure. In this example, the size represents the revenue generated by the corresponding business unit.
- Red, Yellow, and Green represent High, Medium, and Low risk based on the NIST 800-30 risk matrixes/thresholds.
Animation can’t be shown using a static web site, so these graphs show trending (or how the circles move) with an “arrow” indicating the direction the circles are moving.The following graph shows a “snapshot” of risk at a specific point in time. For now, let’s focus on the blue circle and compare risk and revenue over time.
In the next example, we have hidden the other business units. This graph shows the blue business unit at medium risk with a small percentage of revenue in Q1.
In Q2, we can see the risk is still within the yellow or medium level. However, the size of the circle has increased to represent a larger percentage of revenue generated by this BU. The “story” to executive management can be that security has mitigated high-risk items, and, overall the security of this business unit may be at an acceptable or reasonable level, especially when considering the increase in the business unit’s revenue. , It is still a relatively small percentage of the overall revenue generated by the entire company.
In the current quarter, there are significant changes, as shown below. We have a significant increase in revenue, but as a result, risk has gone up. This could happen for many reasons: perhaps the number of online customers has increased with the new web application features, or demand has outgrown IT capacity and new infrastructure is being built without appropriate security, change controls, or patch management.
Going back to the opening questions from executive management about the funding and benefits of security, these charts can help tell a basic story:
“IT Security has been working to contain risks to an acceptable level for the business. However, as you can see from the growth of customers and revenue in the blue business unit, we need to increase security resources to protect the increased revenue generating activity. IT systems are deployed or configured quickly to meet customer demand, but they are not properly secured. We need to protect those IT systems that now generate 20% of our revenue; otherwise, there is an increased risk of losing that revenue if the IT systems in that unit are compromised or hacked. There are also potential issues of customer data loss or damage to the corporate brand.”
Now ask yourself… Is this a better way to communicate security risk, benefits, and activities? Is this approach more effective than the usual “we had 40,000 anti-virus alerts and our scanners reported 30,000 vulnerabilities but we fixed the major ones?” When you can tell the security story in a way that’s effective for your audience, you have a much better chance of getting the tools—and money—that you need to stay ahead of the IT security curve.