Communicating Security Risk
We gathered a group of CISOs and security providers for our annual security dinner to discuss early results of our Scale Security Survey and general trends impacting information security. It was a lively discussion but a common theme that stood out this year, both in dinner discussion and in our survey was the ability to effectively communicate security risk to business leaders.
Scale Venture Partners partnered with the Ponemon Institute and Informatica to uncover what data security concerns were top-of-mind for security practitioners and how they approached the challenge. Ponemon surveyed 432 IT security practitioners who are responsible for IT security or data protection services within their company.
According to the survey, Only 34% have defined metrics to communicate the business impact of their security programs to the colleagues or management.
Communicating risk to the business is a significant issue and, in the opinion of our guests, one that the security industry as a whole needs to come together to solve.
“CISOs need what CFOs have, a mature way to discuss security needs and risk that would apply to any company they go to and be understood by the business, not just by security professionals.” said one public company CISO
It brings up a great point and one that can impact the industry in the long run. Do we need a GAAP equivalent for security, and if so, who can we turn to for creating it? According to the survey, data breach of sensitive information is the top IT security risk (35%) and one that is expected in increase according to 65% of respondents. Yet, securing sensitive and confidential information is not the priority it should be. 56% of respondents are unsure or disagree that their organizations’ believe in the importance of protecting data. That is a concerning disconnect between what security professionals and company boards and executives are allocating resources and attention to.
How do we measure risk?
Security needs to be understood across business functions and with a standard set of terms and definitions. A common language that can be applied to several different kinds of businesses. Often companies represent security metrics, risks and vulnerabilities in many different formats and are rarely benchmarked. I also see this at the board level across our portfolio. Some companies are dialed into the risks that may affect their business and have well-articulated strategies for addressing them, others not so much. Nick Shevelyov, CSO at Silicon Valley Bank presented a good framework for thinking about and communicating risk. He said risks vectors can be categorized across “people, process, and technology,” and for each risk, the choice is to “accept, transfer, or mitigate”. The job of the security professional is to contextualize the risks that are most relevant to the business. The holy grail is getting to a risk measurement for the business that can be quantified in dollars, which can then be considered against proposed security spend to manage risk.
One vendor solved this by providing benchmarks for each company against their peers, adhering to the philosophy, I don’t need to be 100% protected just more protected than others. This benchmarking is valuable to their prospects but likely so because of the absence of a clear way to showcase the business impact of how well a security program is doing.
Another solution was getting buy in from the top. Make security a cultural philosophy, “what is the security teams problem is everyone's problem.” Not every company sees it that way but it does ring true for several financial and healthcare organizations.
A path forward
While there were many opinions on how to measure and communicate risk, most agreed that residual risk will always remain and that planning for the eventual breach was prudent. Creating a breach response plan that was periodically exercised was considered the best-practice.
At the end of the day, we won’t solve this in one dinner or a blog post but it is a call to action for the security industry to continue the conversation and work together to find solutions.
Originally published February 22, 2016.