One of the highlights of my time at RSA 2019 was harnessing the brain power of seven expert panelists to discuss how security leaders should engage with board members in order to increase the business impact of security. What an enlightening and important conversation for our space. At the outset, we all agreed that security certainly has come a long way…from the days of vitamin-D deficient analysts hidden away in the basement all the way to the spotlight of vital business strategy discussions with the Board of Directors.
But are we prepared to make this opportunity count? Sometimes security professionals want to blame non-security executives for asking the wrong questions. But our panel of security leaders wasn’t making any excuses. They are passionate about harnessing the conversation in the boardroom and providing data-driven answers that show progress towards business objectives. Metrics and measurement are key, and our panelists provided lots of practical advice for how to deliver them to the board for the best security results.
Anne Marie Zettlemoyer, VP of Security Engineering at Mastercard
Jimmy Sanders, Information Security at Netflix (DVD)
Chenxi Wang, Board member, founder, investor, keynote speaker
Summer Fowler, Chief Security Officer at Argo AI
Jennifer Czaplewski, Director, Security Analytics, Security Ninjas and Risk Management at Target
Heather Eggers, Director of Privacy, Risk, and Compliance and Chief Privacy Officer at Collective Health
What is a metric anyway?
We kicked off the discussion by asking “what is a metric anyway?” Responses varied, but everyone agreed, decision-making is based on metrics and measurement. One panelist referred to this as “the M&M equation” — if you can’t measure it, you can’t manage it.
Application security metrics can help us understand the state of the business and thus help board members calculate business decisions. One of the most important things you can do is tie security metrics back to business impact and overall business goals. Whenever you’re reporting to a board, make sure it can help them reach a decision. When it comes to metrics for the board in particular, you really need to think about how AppSec metrics affect the business at a strategic level.
“When it comes to metrics, it needs to be something that you can consistently record, report and educate around over time, said panelist Jimmy Sanders, Information Security for Netflix. “You don’t want to report on something related to AppSec to the board for three quarters and then never touch on it again.”
Tell Them a Story
“I want to emphasize the importance of storytelling around the metrics, not just giving the board a count, or a number or a percent,” said Summer Fowler, Chief Security Officer for Argo AI. “Recently, I sat with my leadership and explained that we had prioritized our assets and identified the top 15. Because we’re an A.I. company, our code base is at the top of our priority list. In addition to measurements related to the security of the code base, we also need to address the overall risk. We looked at the number of accounts that have access and the services that have access to give us a bigger picture of future risk. This enabled the leadership team to consider, should multiple services be able to touch that code base?”
How you set and report your metrics depends on your audience. The metrics that go to team leadership should look vastly different than the metrics that go to board members.
“I love the metrics discussion,” said Board Member and Panelist Chenxi Wang. “I’m a security nerd and love talking about counts all day long and time-to-remediation. But remember, you get maybe 30 minutes at most each quarter with the board, and this encompasses all of IT leadership. You really need to determine the most important thing you want your board to remember and act on when it comes to security. It’s not about how many vulnerabilities we’ve remediated in the last quarter…they don’t want to know that.”
The issue of repetitive, ongoing new risks like ransomware and malware came up during the panel discussion. If new risks are constantly brought up to the board, the board begins to ask why there is always new risk. As security leaders, we need to shift the conversation from a “whack-a-mole” approach to security to a confident recognition that there will always be new risk, but our security program has reached the maturity (thanks to investments by the board) to properly address new risks.
Speak the Board’s Language
“Rather than trying to train the board on security, I think we really need to train ourselves,” said Fowler. “Look carefully at what the company as a whole is trying to achieve. Read up on the 10K and the last investor report. I educate myself so that when I receive a question about security, I can direct the conversation toward a goal for the company and how security can help achieve that goal. Now I sound like a business executive talking to another exec, rather than a security practitioner reporting on a specific issue.”
The excellent point was made that many board members are risk professionals with a financial background. This means they understand the language of risk. You can tie some of the security conversation back to an issue that they will understand — materiality. The board understands financial statements are not meant to be 100 percent accurate, since the financial audit you get from a third party only asserts that the information and metrics are reasonable for decision making. Similarly in security, we attest that there are enough controls in place to reassure the public that we have reasonable security. We are protecting our systems and our infrastructure in accordance with the risk tolerance of the business.
Show Them the Money
So what should you do if you talk to the board or executive leadership and they understand there is a security shortage, but they don’t want to invest in security?
The panel remained unfazed.
According to one panelist, if you aren’t getting the budget you need, tell the board right away what you aren’t going to be able to accomplish. And always be ready to communicate what you can do with less — if you ask for 1.5 million, but you get 750K, you must be prepared to explain how you can make an impact with the 750K. Be as clear as possible about the trade-offs, whether financial or reputational.
Look in the Mirror
One panelist admitted, sometimes we don’t have a budget problem. We have an execution problem. We have squandered budget, and bought fancy tech that has no ability to perform in our environment.
Instead of asking for budget for more security technology, ask the board to invest in IT in order to clean up the infrastructure. Everything we do is dependent on the hygiene of IT systems. Emphasize hygiene and prioritize. A board will understand that just like accounting and finance need a clean chart of accounts, we need a clean IT inventory.
Another key take-away from the panel was an emphasis on alignment. Our experts agreed that we need to align the cybersecurity team and its metrics and measurements with the objectives of the organization. Even though a lot of cybersecurity teams engage in some really advanced technology, those things may not be right for that business. It’s our job as leaders in cybersecurity to align our activities with the goals of the organization. Use your measures and metrics to show that alignment.
Don’t forget, the board is your friend,” said Wang. “They have taken fiscal responsibility to govern risks to the organization. It is in the board’s best interest to manage all risk — financial as well as IT. As security professionals, we have to help the board see the business impact of security-related decisions.”
You can see why I’m so enthused by this panel discussion. Security can and does make an impact and the more we align our metrics and narratives with business objectives, the better we get.