We all talk about what we’re doing at our companies and how we are driving them forward. How do we measure success and how do we actually define it? More importantly, how can we communicate it?
Before we measure...What is “Secure?”
A “yes” or “no” answer is not enough when we’re asking ourselves or our company if we feel protected? What are you protected from and why? Do people really understand they need to be protected and more importantly, are we protecting them? The sad truth is that many just aren’t aware or don’t believe they have anything valuable to lose. So if the organization doesn’t understand the risk, how can they measure success?
What is your risk appetite and what are you willing to accept?
Risk is the root and just like success, it is unique through your tolerance. For example, some may define success as how much money they have in their bank account but someone else may view it as the amount of human lives they’ve improved.
It’s hard to define a KPI and define risk because we don’t have a standard baseline of what risk is and how to measure it. The result of this is one company that says, “Yes, we’ve checked all the boxes and we are safe.” to another that says, “Well, we’re a small company and really don’t have anything to steal.” The reason this continues is that we haven’t done a good enough job articulating what the risk is in a way that’s measurable and in a way we could build a KPI on.
Security is subjective.
Success is the intersection of “I feel secure” and “I am secure” So, when we apply this to cyber security, safety is a reality and a feeling. You can be safe but feel paranoid or feel safe but actually be in danger. The feeling and reality need to be equal in order to truly be safe. Add in trust with your customer, employees, and partners, and they will feel safe and secure. This is the definition of cyber security success.
We Need More Proof.
Car accidents and statistics are public knowledge. The majority of security events are kept private. It makes determining risky behavior difficult when you cannot have all of the facts.
Every attack should be shared so it can help the industry. Keep your intellectual property but there is a way to share what you can to help the greater good and make this industry better.
The auto industry has proof that whatever good behavior suggested is good. Wearing a seatbelt has reduced the number of people that die in crashes. In cyber security, we don’t have this type of “proof” data because organizations don’t share data with others. We can’t learn and improve or create KPI’s based on statistics that we don’t have. We speak in boogey man and bad things happening mixed with acronyms and technical jargon and it confuses people.
Sharing stories like the one below is the proof
we need to spread awareness and improve our success metrics!
Do you know the business goals?
Car brakes were made, not for cars to go slow but to go fast. Without brakes, everyone would be driving slow. How can the security system we put in place allow our company to grow fast without crashing? Do we understand what the company business goals are? Success is allowing the company to reach these goals quickly and safely. When we talk about success, we should always explain how it correlates to the business goals and how we help the company achieve them.
You want to show Success? Build Trust with the board of directors.
Put on your board of directors hat for a moment. Do you have trust? Did your security and management teams run disaster drills? Are you ready? Can they show you that you’re actually prepared for something bad to happen and can respond to it?
Include senior management in drills and other board members once per year or even quarterly. Everyone will feel better about what is going on. If they don’t trust or understand what you are saying, it doesn’t matter. Collaborate and communicate. Do tabletop exercises and simulate risk mitigation!
Make it personal.
Start with their own personal understanding by asking a business or your C Suite how they protect their families from cybercrime. If they cannot answer that, they are not YET equipped to protect the business. The more they know to protect their own family, the more connected they are to awareness, risk, and good digital behavior, the more they can protect the company.
Safety belts don’t stop a crash, but they reduce your risk of injury or death.
If you can show successful reduction of risk against your transparent risk appetite, do the hard work to map out the impact of those risks of data and processes, and show measurable progress of reducing the risks as best as possible, that’s success. You’ll never eliminate risk but you can certainly put controls in place to reduce it.
How do you measure Culture?
There is no easy KPI, however there are some signs that security culture is getting better:
1. Is the security team involved in more projects from the ground up and not after the fact? This is a sign that people understand the need for safety.
3. Are more people asking for permission to use new technologies instead of bypassing security controls (Shadow IT) , If yes, it is a sign they understand the risk and wish to mitigate it.
4. Are people asking for help to protect their kids and family?
Maturity and readiness.
To get a driver’s license, you have to prove you are worthy. Are you measuring the maturity of your cyber security program? Are you measuring your readiness? Can you be put at risk today with the threat landscape? If something crosses the road, are your brakes good enough to stop you before you hit that threat walking across the street?
It’s about reaction and response time. Take the 1-10-60 model. You have 1 minute to detect an attack, 10 minutes to analyze it, and 60 minutes to respond to it. However, with all of the new sophisticated threats that come our way, we need to constantly get into the mindset of how to reduce that time!
Convincing the company to take security measures...not just the CISO’s job anymore!
Simplify, simplify, simplify. We love tech and we love our stuff and we have a ton of acronyms and don’t make sense to the people we have to show what the risk is to the business. What is your meantime discovery and intervention? Simplify and humanize this information.
Ask the C Suite “what is the one thing that would take your business down for good and how long would that take?” Have conversations, make it personal, and grow it back into the business.
Focus on the humans first, the company second.
Move away from traditional training and train through storytelling. Start with leadership! Talk to them about their personal safety, their kids in college, etc. Put the corporate stuff to the side for a minute and have a conversation. The leadership team will pass this down to their teams. It’s the most effective way to have these conversations and get engagement. Each member of the team has a role to play. If one is not playing it their best, it creates a risk.
We need to jazz up this industry with meaningful conversation and compassion and stop trying to sell security awareness by fear. We’ve been a bit cold. Connections will be the thing that moves us forward. If we keep talking in dollars and breaches, the people will not see the risk.
Make training a benefit instead of a chore. Provide Security Awareness training to your employees and their families. Don’t just make it about keeping the company safe. Changing behavior at home will filter into the company. We have to apply the behavior for the physical world to the digital world.
Involve marketing, HR, involve everyone. Use the resources you have in your company because it impacts us all, not just our companies. People from outside of security can bring so much value to this industry. Psychology, marketing, etc. Diversity in job roles. Brilliant people who can do wonders in this industry. Engage more with ppl from all walks of life to get into cyber security.
Celebrate the positives and turn your focus to what’s important!
Always celebrate the positives to help build the culture. Are people coming to the security team with new tech they want to use vs. using Shadow IT? If so, that is a GREAT sign of security awareness and risk reduction. It’s not just about measuring the incidents.
Focus on relationships and storytelling, focus on safety, accountability in vendors and software makers. If you do these things, you will make progress and be successful.
Measure what is meaningful, measure what will move the needle forward. Focus on making an impact in people's lives. Start with whoever you can and show them how to be safe. Make online safety a basic life skill for everyone. Have the mindset that it is not only about your team, it is about everyone.