A Framework for Measuring InfoSec as a Business Function

In my December column, I ended with the observation that many CISOs struggle when it comes to first determining and then actually communicating the business value of the security options out there. Often, that failure stems from CISOs who lack a background in finance and economics, and their inability to couch security solutions in business terms can prevent the deployment of controls that improve security while using existing or less resources.

Today, security practices are no longer a distasteful cost of doing business but rather an indispensable and inextricable aspect of advancing it, recognized as integral components of corporate governance and accountability. Yet the risk-adjusted costs of security investments are still poorly understood. Historically, it has been a challenge to accurately measure these expenditures and then assess them within the context of an organization’s overall risk management strategy. Consequently, an organization’s Total Cost of Controls (TCC) is allowed to increase rapidly without producing comparable improvements in risk management efficiency.

However, new tools can now assist CISOs in meeting expectations, allowing them to defend against a growing threat landscape while also minimizing costs and enabling them to show the direct correlation between a proffered expenditure and its associated reduction in a particular risk. With these tools, CISOs have firmly in their grasp a TCC model that makes it possible to measure information security as a business function, balancing risks against their mitigating costs, maximizing value and efficiency.

In today’s ever-evolving cybersecurity landscape, organizations require such a model so that they can move beyond stale security strategies that force companies to wait for threats to hit them. With a business function-based TCC model, they can instead proactively quantify risk using real-time data and intelligence from solutions like the Verizon Risk Report (VRR). Combining extensive data on cybercriminal activity from Verizon’s Data Breach Investigations Report (DBIR) with specialized data sources from technology providers, the VRR security assessment creates a comprehensive security risk scoring framework that identifies current security gaps and weaknesses.

This type of multi-tiered approach allows companies to assess and mitigate weaknesses from multiple viewpoints, including:

An outside-in view: Collect data from external sources to assess an organization’s external posture and contextualize this data with insights from the Verizon Data Breach Investigation Report (DBIR).
An inside-out view: Enhance the outside-in view with additional data from internal sources, such as internal analysis of a business’s in-house systems in light of AI-supported math models and machine learning.
A cultural and process view: Assess security processes and policies for an organization to accurately determine the customer’s cybersecurity posture.

Threat intelligence in this manner is sourced daily from multiple data security sources, and this service includes an overall security posture score coupled with a specific view score. The overall security posture (hygiene) has a complementary threat-level score that addresses environmental situations outside of the hygiene. Based on the level of information thus presented, there is, at any given time, a confidence level assigned for the security posture and threat level scores.

This three-tiered approach helps to prioritize and direct resources to the greatest areas of need while providing executives and board-level members a measurable view of their overall risk. It also assists leaders with risk management, budget priorities, investment measurements and benchmarking business units.

The approach I describe is changing not only how security solutions are used, but more importantly, how CISOs can develop their security strategies. The blending of various threat intelligence data technologies with well-weathered security expertise into a unified process is groundbreaking, and it is empowering teams to make data-driven security decisions and to better understand both current and future threats to their organizations. Through this improved understanding, CISOs can communicate their needs in a language easily grasped by the rest of their organization’s C-Suite, making it a critical skill all CISOs must possess.

John McClurg served as Sr. Vice President, CISO and Ambassador-At-Large in BlackBerry's/Cylance’s Office of Security & Trust. McClurg previously was CSO at Dell; Vice President of Global Security at Honeywell International, Lucent Technologies/Bell Laboratories; and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.