Security must become a business enabler to be taken seriously by business organisations. How can security enable the business? At the recent IDC European CISO conference, Craig Jarvis, security chief technology officer at DXC Technology, talked about how security and security metrics can improve the effectiveness of organisations.
Q: What is the key way to drive the business elements of security?
A: The first step is to gain board access. Chief information security officers (CISOs) are being elevated to executive status in many enterprises, which is delivering this access. That is a good thing. The next step is metrics. We have to think about sensible metrics, rather than having our finite resources generating data that fails to deliver insights. Those board-digestible metrics must be complemented with human insights into the problem. This allows the board to understand the reputational and ethical dangers alongside the more traditional business risk.
CISOs need to accentuate that security is about trust, and without their clients’ trust, enterprises seldom thrive. So, if we can get meaningful metrics complemented by articulate CISOs, I think we are heading in the right direction to winning the board’s confidence and the sponsorship required to secure the enterprise. Then we must engage more with line-of-business owners to ensure that security is enabling their profit-generating operations. This early engagement is crucial. We must adapt to business needs rather than attempting to get the business to adapt to security needs.
Q: How should we raise these metrics and position them to the board?
A: There’s no universal solution. Ten years ago, the board didn’t want to know about security, or even see the CISO if there wasn’t a crisis. Move 5 years forward and they start to understand there is risk, and they want as many metrics as possible. Security operations generate data, and the board can’t make any sense of it. They are not equipped to translate complex technical telemetry into their vernacular of executive risk. In the past, this capability gap meant that CISOs could easily construct a good narrative around bad metrics. As a result, we did not have anyone able to hold the CISO accountable, and in many cases security suffered as poor performance was not remediated.
Move forward to the present day, and we are getting better at providing meaningful metrics. We are starting to see more interest and understanding from boards, but we are still far from where we need to be to empower the board to make informed, risk-oriented decisions.
The question is this: how do we find a balance between giving the board metrics that will empower them with an understanding that is independent of a CISO’s narrative — delivering executive accountability — whilst not overburdening security teams with metric generation? I have seen myriad operational teams completely consumed trying to build metrics that don’t aid them in their jobs or help inform the board. It’s important to recognise that there are metrics for the executive to understand the risk, and there are separate data to inform operational capability. From my perspective, when it comes to the former, less is more.
We must adapt to business needs rather than attempting to get the business to adapt to security needs.
Q: What other aspects should organisations focus on regarding security, based on these metrics?
A: We have to start thinking about the wider IT risk. When we engage the board separately on IT operational risk and cyber security risk, the board often becomes confused. They are having two separate conversations about technology risk. For instance, when it comes to availability crises, the board only cares about the business impact. Whether the impact is due to a ransomware attack or a server farm failing is largely irrelevant to the board’s thinking and response process. The board needs a converged view of technology risk, so it can make strategic decisions about risk management and investment. That’s the goal.
At DXC Technology we’re thinking about how the board and operations should perceive risk in the future. Typically, this is when people start talking about next-gen Security Operation Centres (SOCs). But that’s wrong. We’re in the last generation of SOCs. We next need ROCs — Risk Operation Centres — that deliver a converged view of risk and the ability to respond to realisations of that risk. We’re heading in that direction fast. It’s going to take an alliance of operations and security, but it’s the only way we’ll be able to start providing a unified risk view for the board that finally allows a proper mastery of technology risk across its enterprises.
Craig Jarvis is the chief technology officer for Security at DXC Technology. Craig specialises in the nexus of warfare and technology, and he holds master’s degrees in both computer forensics and international security. Craig is currently completing a PhD in warfare and writing a book on the political history of encryption technologies.