August 10 2020
by Aaron Sherrill
About 20 years ago, baseball underwent a statistical revolution. In 2002, general manager Billy Beane transformed the Oakland Athletics, a small-market team, into a big winner by applying data, research and analysis to a game traditionally conceived as a business of intangibles, observations and resource disparity. The story is the subject of a book and movie titled 'Moneyball.' In Moneyball, the Athletics identified statistics that, in terms of dollars, were undervalued in the market yet delivered insights that enabled the team to achieve its desired outcome – wins. Oakland's quest to derive the most value for their dollar is something every business can relate to.
But in cybersecurity, where performance and effectiveness can be difficult to measure and understand, the C-suite and board are often at a disadvantage. Too often, security leaders report on metrics that are largely qualitative, focusing on discrete technical aspects of the cybersecurity program, or delivering data points with no context. These metrics are often meaningless at the executive level. C-level leaders need security leaders, vendors, partners and service providers to transform the measurement of cybersecurity.
The 451 Take
Baseball fans know the sport is a game of statistics. Ask avid baseball fans what the numbers 755, 511, 56 and 103 represent, and they will tell you Hank Aaron's career home run total, Cy Young's career wins total, Joe DiMaggio's hitting streak, and Rickey Henderson's stolen bases. Baseball fans 'know their stats' – even though the stats often fail to tell the whole story.
Cybersecurity is increasingly gaining visibility at the board and C-level. And while the executive team may not be able to rattle off the specific cybersecurity stats like baseball fans, they should have a clear understanding of the organization's cybersecurity posture and the value that cybersecurity efforts are providing the business. Security leaders, vendors, partners and service providers need to modernize how cybersecurity is measured, providing executive teams with a tailored analysis that delivers business-impacting intelligence.
Before the global COVID-19 pandemic, over 90% of enterprises reported they were planning to increase security budgets for 2020 by an average of 20% (451 Research's Information Security, Budgets and Outlook 2020 survey). Those expectations may have been underestimated as the pandemic has driven almost 30% of enterprises to increase security spending even further to protect the explosion in remote workers and an increase in threats and security incidents.
Even though enterprises continue to increase their security budgets year after year, half believe their organization will experience a data security breach over the next 12 months. To the C-suite, it is beginning to appear that security teams are trying to outspend cybersecurity challenges by investing in more tools, people and services. While this may be true to some extent, the security efforts at most enterprises started at a disadvantage and are still trying to catch up to digital transformation efforts and attacker capabilities.
As enterprises reexamine organizational budgets and priorities, executive teams are taking a closer look at the organization's cybersecurity investments and overall security posture. Security leaders, vendors and service providers are feeling the pressure to demonstrate the value of cybersecurity investments and efforts and show a direct, measurable impact on business objectives.
How to fail
To better understand how to successfully communicate and demonstrate the effectiveness of the organization's cybersecurity program, it can be helpful to understand how security leaders often fail in this endeavor. There are several pitfalls security leaders should avoid when communicating with the C-suite and board. These include using complex metrics, overusing technical metrics, using metrics with no context and over-valuing qualitative metrics.
The technical nature of cybersecurity along with the fact that most executive teams have non-technical backgrounds leads to a general lack of understanding about cybersecurity. Cybersecurity metrics that are complex and difficult to understand tend to make this situation even more challenging. Security leaders often find themselves defending how complex metrics were derived rather than discussing what the metrics mean. Complex metrics often fail to demonstrate a cause-and-effect relationship with investments and efforts, undermining the executive team's trust and value in the data.
Overuse of technical metrics.
The cybersecurity domain is well known for its ambiguity, acronyms and technical language, but the root of the problem is that technical metrics often fail to translate into business objectives. Overusing technical metrics tends to create communication gaps that leave executive leaders struggling to understand the security posture of the organization or the value and impact of security investments.
Metrics that lack context.
Security metrics are often presented with little to no context. For example, the number of vulnerabilities within an organization is a common metric that security leaders report to executive teams. Unfortunately, metrics like this fail to communicate a story. Is the data point positive, negative or average? Is the metric trending up or down, and why? How are critical assets impacted? How is this impacting the security posture or risk profile of the organization? Context matters. Without context, security leaders can inadvertently lull executive teams into a false sense of confidence, even though risk continues to grow.
Over-valuing qualitative metrics.
Measuring cybersecurity efforts and delivering meaningful metrics is not easy. As a result, many security leaders tend to rely heavily on qualitative metrics when communicating with the executive team. The problem with this approach is that subjective assessments are often less creditable because they tend to lack specific, repeatable measurements and supporting quantitative evidence.
How to succeed
Security leaders have more dashboards, charts, data points, trends and KPIs at their disposal than ever before. While this plethora of information can be invaluable for day-to-day tactical operations, communicating this data to the executive team requires a tailored approach.
Tell a story with meaningful metrics.
When reporting to the executive team or board, security leaders should take a meticulous approach and use business language to tell a clear story with measurements that are quantifiable, observable, objective and easily understood. Security leaders need to clearly communicate what is being measured, why it is being measured, how and why these measurements change over time, and how these measurements align to the strategic priorities of the organization. Security metrics that focus on business risks and outcomes and tie to business objectives will resonate with the executive team.
Take a balanced approach.
Security leaders should take a balanced approach when communicating with the executive team or board. A balanced approach that takes into consideration a combination of qualitative and quantitative metrics, leading and lagging indicators, long- and short-term priorities, internal and external threats, and operational and strategic metrics offers a comprehensive and pragmatic view of the organization's cybersecurity posture, resource effectiveness and state of compliance.
Be prepared and consistent.
Security leaders should always be prepared for C-suite executives or board to scrutinize metrics, dig deeper into specific risks, and inquire about recent publicized trends and breaches. It is important to establish a consistent narrative around cybersecurity using non-technical business language that the executive team will understand and find relevant. Be prepared to provide answers in the context of the business. This means talking about the implications on consumer trust, the impacts on service reliability, the effects on digital transformation, and the ramifications on compliance, risk and privacy.
When heading into the boardroom to deliver a presentation on cybersecurity to the board or C-suite executives, it can be tempting to get caught up in the numbers. However, communicating on this level tends to be more of an art than science. The goal is to build trust, demonstrate how the organization's cybersecurity posture is continually evolving and improving, discuss where potential pitfalls and cyber risks exist, show the effectiveness of existing investments and resources, and establish how cybersecurity is adding value to the business.