Which statement is more effective?
A. We have approximately 2,300 CVSS severity 4 or 5 vulnerabilities on our 400 Windows Servers.
OR
B. The IT systems that generate 28% of our revenue have critical security vulnerabilities.
In my experience, the answer is B. Why? Because it relates security to something the business and something that the executive leaders care about: revenue.
Notice that there isn’t a single security metric in statement B. However, I consistently hear about the push to gather and analyze security metrics. While there is nothing wrong with measuring and evaluating security operational effectiveness with metrics, I believe the time and effort could be better spent on making security more relevant to the business. As CISOs, Directors of IT Security, and security leaders, isn’t our job to communicate and reduce risk? If so, which of those earlier statements do you think will convince executive managers or IT administrators to allocate resources and time to mitigate those vulnerabilities?
Let’s take a look at a real-world example. The graph below represents a NIST-based risk methodology where business units (BU) are represented as circles. However, the size of the circle represents the percentage revenue that each one of the business units generates.
Give it a shot next time you have to present to executive management or business unit leaders: rather than go through the usual metrics of vulnerability counts, compliance exceptions, and virus incidents, show them something like this and see what the reaction is.
In my next blog, I will take this notion of matching risk to revenue one step further. I will show how to animate this graph to show how risk is reduced over time. That’s right: the circles will move over time to show changes in risk based on technical vulnerabilities, security controls, asset impacts, and the other variables for the NIST Risk Management Framework. We can also have the circles represent any business metric we want—such as the number of customers, patients, or even credit card data.