Coffee in hand, you open the most recent report from your Vulnerability Management lead. Judging from the file size, it looks voluminous. As always, 1000’s of critical severity vulnerabilities and a note that the Sprockets and Widgets (S&W) division once again set a record for number of unpatched critical assets. You call the head of S&W IT and receive the usual litany of excuses (can’t take the systems offline, no patch from the vendor, etc). You wonder if there’s a better way to stress how important it is to patch these systems…
Text from the SVP of Sales… Again… “Did you see the story about the new ransomware outbreak on CNN? This one’s different than the last few. Guessing you have it all locked down?” You wish he’d stick to his day job instead of moonlighting as a security geek and thorn in your side. You also wish you knew whether you actually have it “locked down…”
The Alka Seltzer package says that it relieves “ minor aches, pains, inflammation, fever, headache, heartburn, stomachache, indigestion, acid reflux and hangovers, while neutralizing excess stomach acid.” Perfect for the 11am Infosec budget review meeting with the CFO, so you double the recommended dose. Your ask is for a 20% budget increase – priorities are EDR software from one of the recently IPO’d and/or acquired endpoint vendors, deploying one of Gartner’s many cloud data protection acronyms (CASB, SASE, CWPP, CSPM, etc), and increased data volume is driving your Splunk costs through the roof. The problem is that you asked for, and received, a 30% increase last year, and you know the CFO is going to demand to know what the return was on that spend. And you don’t blame her…
Your turn to report at the Board of Director’s meeting. You’ve spent weeks tuning the slides, and you even practiced them one more time this morning in front of the dog. Eyes start to glaze over somewhere between the slide on DLP false positive reduction and the data from your SOC team suggesting that indicators of compromise are up 11% Q/Q. You spent years lobbying the CIO and CEO to get board visibility and now that you have it, you feel like you’re speaking a different language. Perhaps you are?
CRM for Security
As you sit through the remainder of the board meeting, you can’t help but notice the similarities in many of the other sections.
- The CFO’s budget slides and risk analysis are geared around the trends in several key metrics.
- The VP of HR discusses turnover rates, hiring metrics, and even employee happiness, all benchmarked against other companies in the industry.
- The same SVP of Sales that texts you every other day presents neatly formatted reports directly pulled directly from the CRM, with clear metrics indicating areas of strength and areas of concern.
- Heck, even the marketing guy, who’s socks match the color scheme in the slide deck, has fancy metrics around pipeline and something he calls marketing qualified leads.
Midway through the Sales portion of the meeting, you begin to wish that you had your own “CRM for Security” to help address these, and the myriad of other, daily challenges in your world. A way to move from ambiguous discussions with even more ambiguous answers, to data-driven discussions with metrics designed around the common language of risk rather than security-specific threats, vulnerabilities, and alerts.
The Data-Driven CISO
Sounds familiar? The scenes in this typical day in the life of a CISO are based on recent, real conversations I’ve had with security leaders. They all agree that information security risk is no different from any other non-financial risk that leaders must contend with. And all of these risks are managed by “a prioritization process whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.”
The gap for most infosec leaders is to get to the point where they can quantify and prioritize risk, no small challenge given the massive enterprise attack surface. We’re at the dawn of the age of risk-based cybersecurity, where in order to continue to excel as a security leader, you must evolve to become a Data-Driven CISO.