As we start the New Year, things have started to pick up here business wise. Of course, I had a slow month in December, but I have booked a ton of podcasts now going all the way into March. Watch for my expansion plans to take place for this to all take hold by or around the first week of April.
I have started to have some premium content shows now, in which the guest and I focus upon a specific area in Cybersecurity.
For example, I had one last week where we talked exclusively about GDPR – and from this, we will be having another podcast in a few weeks on which the topic is just about legal aspects of the CCPA, the new data privacy law that was just passed in California. But, on a more general note, this all stems back to one, key fundamental issue that always keeps coming up.
And that is, it’s great to have all of these of laws and regulations, and compliance stuff, but who is actually going to make sure that they are enforced within a business? Is it up to the IT Security Staff, the IT manager of that department, or does the buck stop with the CIO and/or the CISO, or for that matter, even the Board of Directors? This is a question that I will address towards the end.
But in the meantime, the CIO/CISO will still be in the hotseat to make sure that the companies they work for are as Cyber resilient and strong as possible. But on this end, it is a two-way street. This simply means that the CIO/CISO must be able, in a clear fashion, be able to delegate down their plans and objectives to the IT Managers, who in turn, can make sure the various in the IT Department will understand and act on them.
But at the same time, the C-Suite (which also includes the CIO/CISO) are very busy folks – whether they are out golfing half of the time or are actually doing work (note my sarcasm here). But whatever preoccupies their proverbial busy schedules, there is a common denominator: Whatever information is transmitted up front to them from the IT Managers must be succinct and quickly digestible, in a matter that the CIO/CISO can understand in just a matter of a few minutes.
So, there has be to some sort of Key Performance Indicators, or KPIs that can be used to help out in this regard. The Cybersecurity Industry is full of acronyms, but what are needed most are some metrics to help gauge just how efficiently things are running (or not running) and getting done (or not getting done). So, what are some of these new KPIs that will be hopefully observed?
Here are some of them:
*The Proficiency of the IT Security Staff:
As its name implies, this simply measures just how well trained and knowledgeable your team is with regards to the fighting the threats of the Cybersecurity Landscape on hand. But this metric is not just reflective of what is happening at the present moment, but what is also going to happen in the future. True, many IT Security teams are simply too overburdened and overtaxed because of the current workforce shortage, but there are automated tools that are coming out that can help alleviate this to some degree, especially when it comes to the use of Artificial Intelligence (AI). Another area which these metric measures is what is known as “Red Teaming”. This is where the IT Security Team is placed in war game like situations and are stressed just up to their breaking point to see how well they can react to fighting off multiple Cyberthreats. Think of this as a Penetration Testing exercise, but magnified 10X.
*The Levels of Satisfaction of your IT Security Staff:
Yes, this metric measures just how happy your employees are in their current positions, even though they may be stretched to the breaking point. Remember, given the severe job shortage in Cybersecurity, employees can jump ship in just a matter of a heartbeat. Because of this, not only can it be more difficult to find good workers, it can be an expensive proposition as well. Because of this, you need to make sure that your employees (as it relates to the IT Department) know that they are appreciated at all times. This can be done even by just giving token gifts on a regular basis, such as gift cards, going out to lunch, time off, etc. In the end, a little pat on the back can go a very long way to boost employee morale.
*The Levels of Support For the Business Mission:
One key area that the CIO/CISO needs to communicate to the people below them is what the overall mission and goals are (as stated previously). Very often, this can be accomplished with an over arching mission statement that does not have to be more than a few paragraphs long. In fact, it can even be modelled after the mission statement that is found in the first few pages of your company’s Annual Report. Once this has been formulated and transcended downwards to the rank and file, it will become important, after a period of time, to ascertain to see just how well what is being done on the frontlines actually matches up or even exceeds what was set forth in the mission statement. Keep in mind that although it should be Cyber related, it does not have to be all about fighting off the attacks. It can include other areas as well, such as:
*Building a competitive advantage;
*The creation of new opportunities with both existing clients and prospects;
*The establishment of a clear, sales pipeline funnel.
*What a Security Breach Will Actually Cost:
Obviously, this is an area that nobody wants to think about, especially the CIO/CISO. But whether you like it or not, this is something that must be calculated. The reality is that nobody can say for sure how much a Cyberattack will really be, but this must be estimated so that the C-Suite at least has a frame of reference to work off of in order to prepare their respective budgets. It is very important to keep in mind, that these calculations must include both direct and indirect costs. The former relates to such areas as to how much the costs will be to restore mission critical processes and operations after being hit by a Cyberattack; and the latter refers to those costs such as brand reputation loss, the loss of customers, etc. Also, pay attention to the potential fines you could face, if you are found not to be compliant with any of the newest regulations, such as those of the GDPR and the CCPA.
*The Return On Investment (ROI):
Although this is probably one of the oldest formulas to be calculated in the world of finance, it is now becoming very applicable to the IT Security Staff. Figuring out the ROI can be applied to many different areas, such as the value you are getting out of your current workforce, the investments that are made in newer security technologies, the value of training programs, the net benefit (if any) of using third party vendors, the value of current Security Policies and other plans (especially those that relate to Incident Response/Mitigation, Disaster Recovery, and Business Continuity. Here is a handy formula that you can use in this regard:
ROI = [Mitigation Coefficient X (Likelihood X $ Impact) – Cost of Completion]/Cost of Completion
In the direct quotes of the person that created this formula:
“The mitigation coefficient, in this case, can range, but I typically use .9 which assumes that any control or security solution mitigates 90% of negative effects. I have seen this adjusted for more conservative estimates, though. The likelihood, using NIST’s methodology, is broken down into Very Low (0.1), Low (0.25), Medium (0.5), High (0.75), Very High (1.0). This equation is designed to be applied on a per control basis. The value of that is being able to see where gaps exist, and where the greatest opportunities for investment lie.”
My Thoughts On This
As one can see pretty easily, the first three KPIs are qualitative in nature, and will probably be much more in nature to calculate, as this is pretty much dependent upon the unique environment in your company. But, the last two are quantitative in nature, and should be more uniformly calculated.
It is important that once these values are computed that they be compared to industry standards, and if possible, as to what your competition is doing in this regard. This will give you good benchmarks to see if what you are doing is more or less working or not.
Although the last two important, I believe that the qualitative ones will be just as much or even more critical as 2020 rolls on, especially when it comes to the levels of employee satisfaction. So, to answer the question that I posed at the beginning: I think everybody should be held responsible for making sure that the lines of defenses are fortified as best as possible for the company.
Every employee, all the way down even to the night custodian, has a part to play. But in the end the buck stops with the Board of Directors. Everybody loves to say it is the CIO and/or the CISO, but all decisions are made and governed at this level. So, they ultimately should be held responsible for any Cyberattacks, and noncompliance issues.
In the end, it is really the jobs of the CIO/CISO to simply convey the information and the data that the Board of Directors needs in order to make their decisions and the actions that they plan to take.