Reimagining security governance (part 1)

This blog is part 1 of a three-part article on maturity models. For more information, read part 2 and part 3. 

Is ISMS (Information Security Management System) a four-letter word at your organization? Maybe it’s time to look at governance realignment. Corporate and board level awareness around the value of security operations has increased radically over the past fifteen years. However, the way security teams measure their operational maturity and present operational performance to the business has not kept pace. So, in spite of business leaders knowing that security has value to the organization, defining and understanding that value has remained elusive. This three-part article provides some practical suggestions on developing new security maturity models that will allow the business to fully realize and embrace the value and potential of their Security Operations Department through business-aligned governance and performance reporting. 

First, we must consider our industry’s current standards for measuring maturity defined in standards frameworks such as NIST800-53, ISO27001/2, SOC2, SCF/CCM, etc.  Frequently, organizations measure maturity by the percentage of coverage they have within these controls frameworks. These were a valuable way to benchmark an organization’s cybersecurity maturity from 2000 until now. However, based on the overall maturity and awareness in the market, at this point we need to consider compliance to one or more of these frameworks to be a minimum entry point, and basic table stakes. This is particularly true due to the raft of government privacy regulations enacted over the past fifteen years. Other than startups in the first twenty-four months of operation, most organizations managing business sensitive or business critical informational assets are already compliant, or pursuing compliance to one or more cybersecurity frameworks.  

Lastly, true maturity is measured to how well the implementation of security controls is aligned to risk; not simply the number of controls implemented. To make security more relevant to the business, we need to introduce three new viewpoints on security maturity:

  • Communications Maturity

  • Business Alignment Maturity

  • Performance and Financial Maturity

Implementing a programmatic approach to these maturity frameworks changes the paradigm of Security as a required Cost-of-Business, to Security as a Competitive Advantage.  

The importance of communications maturity 

The journey of security integration into the business value chain begins with winning the trust of the organization’s leadership, and the path to trusted partner requires going beyond the fear conversation. Everyone knows that cyber-attacks are a major business risk. Business leaders are acutely aware of the impact of a major data breach or ransomware attack.

Selling security projects based on inciting fear of these outcomes must end, and integration of security into the business through value creation must start. Being a trusted advisor starts with having conversations in an easily understood language. In 2005, it was common for security leaders to baffle senior leadership with “security speak” - under the premise that leadership would be intimidated by our technical knowledge and give us whatever we ask for.

Today, if security leaders want to get the business on board with security, they’ll need to communicate in the language of the business to explain what causes the information risks, how they manifest into business impact, and how management can help to reduce those risks.  Further, they will need to demonstrate how better security practices actually save the company money and provide a competitive advantage. And, to do this in non-technical terms. Below are four suggested non-technical topics that are great trust-building conversation starters around the root causes of cyber risks in the business:  

  • Employee complacency and how we can overcome this problem. Employee complacency is a culture issue, and leadership owns the establishment of culture. So, discuss how senior leadership can emphasize the importance of secure behavior and drive the culture shift. This also leads into the question of, “What are secure behavior habits?” Remember, leaders become leaders because of problem-solving skills, and this is a problem every leader can relate to. Whatever you do, don’t start by blaming management for fostering a culture of security complacency or disregard, even if you believe that to be the case. Remember, you’re trying to win friends and influence, not alienate. 

  • Security is bypassed because it’s manual or business encumbering. Discuss potentials options for automation of security where possible, such that the organization can change the balance - making it easier to operate within the secure process than it is to bypass the process. 

  • Security processes are missing, or not integrated into business processes. The first step in resolving this is bringing security representation into all business projects, and make sure business processes are designed with security processes embedded (AKA Security by Design). The first project or strategy meetings attended by security are critical. While this advice may seem obvious, remember to play the long game. Any roadblocks created by security in these first meetings will result in fewer future invitations.  

  • Lack of security testing and validation. We must create the mindset that it is essential to test the security built into a process before implementation. After all, no company would make an electrical appliance and sell it without testing the usability and safety of the product, so why not apply that same philosophy to all business processes.

Becoming a business partner 

The most important part of security communication is the transition of security to being a business partner instead of just a fearmongering money pit. Utilizing business language, we need to articulate how security serves business risk management, how we can make data accessible to everyone that needs it (anytime, from anywhere, on any device) and still be secure, and how cyber insurance regulation is driving better security in the business.  

And let’s not forget; we must achieve better command of our own language. We need to stop overusing and misusing words like “threat.” Using “threat” in every sentence, and using it to mean many different things, is confusing. If we can’t agree on vocabulary definitions within our profession, we have little chance of effective communication outside of our community.  

Being meticulous in the use of language – an example 

I recently listened to a presentation where the speaker used the word “threat” at least thirty times in a forty minute presentation. He also used it to mean five different things:  

  1. He talked about Threat Hunting four times. Once, to refer to searching an environment for Indicators of Compromise to determine if there was already an intruder in the network. That is not a threat, that’s an intruder. That actor is not threatening to breach your defenses, they already have breached. Therefore, we should call it Intruder Hunting as we’re looking for an active intrusion. The next time Threat Hunting was mentioned was for research on Threat Actors and Advanced Persistent Threats (ATPs). There was never a mention of evaluating the Threat Actors as potential adversaries. While they may be a threat to someone, are they really a threat to that person’s organization? That’s Threat Actor research, not Threat Hunting. Next, he talked of dark web reconnaissance, i.e., looking individuals and groups plotting an attack on the organization. That is true Threat Hunting. Lastly, he spoke of searching for his organization’s data that had been exfiltrated and posted or was for sale. Maybe the threat is still active, but that’s actually exfiltrated data hunting.  

  2. Then came a discussion of threat types: hackers, criminals, nation states, hacktivists, internal, etc. Are these really called threat types, or are they Threat Actor Motivations? 

  3. Lastly, he talked about malware, thumb drives, and mobile devices, and called all of them threats. Many security professionals have used Metasploit as a compliance testing tool for years and it never once threatened them; a tool is only a threat when it is in the hands of someone planning to use it against you. 

While you may dispute some aspects of the above example, hopefully the point is clear enough. Within the industry, we are able to take terms in context and decipher the correct meaning. For those outside of the security industry, our choice of terms can be a source of confusion and frustration. If the term is not truly self-descriptive to a non-security person, either don’t use it, or provide a definition! 

Measuring communications maturity effectively 

How does one measure Communications Maturity? 

Although it would make for more interesting reading to say these metrics are based on advanced and complex statistical algorithms, the answer is much simpler: ask. The best evidence of effective communication is provided by simple inquiry. Further, the questions can be very straightforward. For example, we can ask six simple questions in the context of a 1-10 scale, and one open-ended question - as listed below.  

  1. How do you rate your understanding of the Information Security department’s projects and plans based on the communication received from that department’s leadership?

  2. Rate the clarity of the explanation and rational provided for the Information Security department’s projects.

  3. Rate how well the Information Security issues within the organization are communicated to you in business terms.

  4. How would you rate the Information Security department’s performance communication?

  5. Overall, rate the communication of the Information Security department to senior leadership.

  6. If the Information Security department were a separate company outsourced for this function, how likely would you be to recommend them to friends and colleagues? (*Net Promoter Score)

  7. Lastly, what could be done to improve communication between the Information Security department and senior leadership? 

Some readers may see this process as similar to a Customer Success (CS) survey. That is, of course, more than coincidence. After all, the other functional business departments in the organization are, in fact, customers of the Information Security department. You may also note that question 6 is a Promoter score used in the calculation of the Net Promoter Score (NPS) commonly employed in Customer Success. 

Please note that it is best to conduct this survey anonymously to get the most honest results.  

Naturally, every organization will need to customize their survey questions to get the most relevant communication KPIs for their teams. But the above can serve as a solid starting point. Remember, metrics are not KPIs if they are not used to drive action.  There must be an action plan based on the scoring results so that the department can see continuous improvement over time. For example, scores over 7 indicate that subtle fine-tuning of the department’s messaging is probably needed, whereas scores under 7 are likely to result in significant rework of the communication model.    

This blog is part 1 of a three-part article on maturity models. For more information, read part 2 and part 3