Kudelski Security recently carried out research with its Client Advisory Council on CISO communication with the board of directors. The full report – complete with advice from seasoned security leaders – can be found here, but in this blog, I’m going to cover some extra points that we weren’t able to include in the final document, relating to one of the top, most challenging questions that CISOs face when communicating with the C-Suite.
The issue in question is “How do we compare with our peers?” As with nailing all these questions, the starting point is to understand what the board wants to know.
According to a majority of Council members, it boils to investment and whether the organization is spending enough on security compared to peers. Interestingly, and as an aside, the boards indicated that they want to be equitable or even higher than peers within their industry but do not want to overspend in areas with diminishing returns on investment.
The response from Council members falls into 3 broad strategies.
Strategy number 1: Benchmark using an industry standard framework
Most of the CISOs we talked to suggest using this strategy:
- CISOs should communicate how the framework was selected and why they think the framework fits their company.
- Then CISOs should demonstrate how the company’s security program is measured against this framework, highlighting specifically where the start point was, and the progress made to the target state of maturity.
One piece of advice from one CISO to another “Always check whether investments are worthwhile from a risk reduction point of view”. One of our Council CISOs from a Fortune 1000 company told us he was asked by his board what it takes to increase maturity score from a 2.4 to a 3.2 in one area of their security program. In this case, they recommended that before taking any action, it needed to be determined whether taking that step was worth it in terms of investment and risk reduction.
Strategy number 2: Compare security spend with peers
A high number of our Members also pointed to this as a key strategy. Obviously, the key problem here is the fact data sharing on these matters is highly sensitive and confidential.
So where do CISOs need to look to find what their peers are spending on security?
- One CISO from the technology industry recommends first looking at research firms that can provide information related to verticals, such as Gartner, Forrester, 451 group, etc. “Start with the average security spend for a vertical, and then tweak the number based on the organization size and innovation, knowing that firms that are innovative will typically spend more on security than traditional firms.”
- Another valuable source of information is peer CISOs– some of the CISOs we interviewed meet their CISO peers regularly to discuss security and maturity, staff and budget topics. The general recommendation is “make friends with peers in cyber and do not try to be competitive when it comes to security.”
- Participate in forums and share information within peer groups – one CISO from the media and entertainment industry obtains their benchmarking information from an industry-specific cyber community. They meet monthly to get updates on industry cyber trends, compare cyber programs and maturity, and share the latest incidents that have impacted them.
Strategy number 3: compare maturity of individual program components
The third strategy focuses on a maturity comparison.
- Look at what functional or capability outcomes your peers are trying to achieve, what gaps they are trying to close and the steps they have taken to do so. This recommendation came from one Fortune 500 CISO, based on his experience that his peers gain a good idea about industry norms from the maturity assessments they run.
- As a general note, if you cannot answer don’t guess. Instead, use strategy number 1: pivot your answer to a framework, as this is something you can control and justify.
Did you find this useful?
For a more comprehensive guide to answering tough questions from the boardroom, read our Cyber Business Executive Research: Cyber Board Communications & Metrics in full.