Subscribe to the TSC newsletter to receive exclusive news and advice
13 February 2019
3 min read
CISO Guide: How to sum up your work for your CIO
In this latest article from the ‘CISO's guide to’ series, we show CISOs how to sum up a year’s worth of activities for their CIO....
In this latest article from the ‘CISO's guide to’ series, we show CISOs how to sum up a year’s worth of activities for their CIO.
"Start with a fresh page. Take up one hole more in the belt buckle if necessary (or let down one, according to circumstances). But on the first day of January let every man gird himself once more, with his face to the front, and take no interest in the things that were and are past." — Henry Ward Beacher.
Wise words indeed for a new year. But we’re not quite there yet.
At this time of year companies up and down the country are preparing the annual report and accounts and inevitably it's time for the CISO to take stock of the year that was. Especially if your CIO (or CFO or CRO) is asking for your account of the past year.
So what markers of progress will you be scribbling down when looking back over the last 12 months? And how will your scorecard be graded?
What not to write
What we want is a business engaged and eyebrows raised. So let me start by stating what I would not report to my senior manager:
Numbers that have no heft: Many a worthy-looking line-graph or pie-chart can be built from numbers like training completion rates, phishing click-throughs or reported number of incidents. But peel away the ‘on-brand’ graphics and is there still meaning there? Does training completed equate to behaviour changed? Does a reduction in click-through rates matter when it only takes one click for a compromise? And do more incidents reported make for more actionable intelligence or more time-consuming data-wading for your team? In short, do they pass the ‘so what?’ test?
Security standard stand-ups: You’ve
nailed NIST, implemented ISO
27000 and conquered COBIT 5. These are undoubtedly achievements worth flaunting
by every CISO and are fantastic way-markers on your journey towards
cybersecurity maturity. But what does standards adherence matter if you can’t
show effectiveness? Can you express what compliance means in hard cash terms?
Too much tech-control snazz: Whether
it’s deploying an AI-enhanced DLP tool, weaving cloud access security brokers into
access management, or taking zero-trust approaches to server workloads, 2018
has seen no shortage of snazzy technological solutions to ease the CISO’s
burden. If you’re successfully sharpening that cutting edge, why not shout
about it? The problem is, no matter how powerfully relevant these solutions
are, will they be understood by those outside the tech-literate bubble? Perhaps
this is where you need to keep the ‘gee-whizz’ to your team and concentrate on
what how this matters to the business.
Make it business-relevant
OK, so that’s a slew of red lines drawn through some reporting staples. Now, how are you going to make sure that your end-of-year report isn’t scrunched up and heading for the recycling bin?
By placing the focus on what really matters – how much progress you as a CISO have made in 2018, in business-relevant terms:
Numbers that matter: If you’re going to
report on your colleagues’ behaviour, try digging a little deeper to get more meaning
into those metrics.
Talk of the town: Culture change comes not
through compliance, but through conversation – when
people in your organisation talk about information security, they own rather
than disown it.
So, tell the
story of that conversation in your report. How many times has infosec been on
the board’s agenda? What questions have they asked that have helped to sharpen
your focus on delivering business value? Which business functions have been
engaging with you as solution partners rather than a place to pass the buck to?
Pivot to the problem: Getting to the nub of issue for the business
is critical, if your report is to be read beyond the usual suspects. And in
2018, the fundamental business value that changed for the CISO was not avoidance
of a breach, but resilience to it. We’ve shifted from ‘if’ to ‘when’ and must
show proficiency at managing the impacts.
That means reporting
progress on critical aspects of incident management is vital – such as time from
alert to triage, or time to notification for the kinds of incidents that set
off the regulatory alarm bells at the ICO’s office. Include your full-spectrum
simulation exercises in those numbers, too. After all, practice makes perfect.
And don’t forget the
value of your ‘human firewall’, the first responders whose early reporting is
so vital to hack back dwell time. Demonstrating that staff responses are
measured and understood, whether via ethical phishing or
benchmarking, is a crucial part of reporting on your organisation’s
resilience – or fragility.
The return on investment
In the end, I think what’s important to remember when reporting ‘up the line’ is return on investment and, crucially, that RoI is specific to your organisation.
Concentrate on what matters to your business. And never forget that dollar-driven metrics are what turns on senior management.
If you would like more informationabout how The Security Company can help your organisation to enable employee behaviour change with the goal of improving your security culture or how we can run behavioural research to pinpoint gaps in your security culture, contact us here.