One of the toughest challenges that face Chief Information Security Officers is effectively communicating with the board of directors. That begs the question, how can CISOs articulate their comprehensive and sophisticated security strategy to them?
Kudelski Security’s Secure Blueprint SaaS is a business management platform, designed by CISOs and created for CISOs. The software enables security leaders to plan, execute and evolve business-aligned security programs, allowing continuous improvement. It enables security leaders to centralize key management functions, gives them visibility on maturity and risks, and facilitates stakeholder engagement.
See what Frost & Sullivan, the global business consultants, have to say about Kudelski Security’s software:
If you haven’t got three minutes to watch the video, key takeaways include:
Secure Blueprint measures cyber program maturity and risk by benchmarking an organization’s capabilities across cybersecurity control models like the NIST cybersecurity framework or Kudelski Security’s own cybersecurity portfolio management model
The language that is used to communicate security strategy with the organization, the C-suite, and board of directors needs to be delivered in a business language and not tech speak
The program facilitates and automates stakeholder engagements, taking lengthy quarterly meetings down to just a few minutes
Secure Blueprint allows the CISO and board of directors to effectively communicate the security strategy using out of the box executive dashboards
If you’re interested in learning more about Secure Blueprint, click here.
It is easy to recognize the lack of women in the IT world. With an ever-growing demand for a more diverse workplace and a lack of cybersecurity workers in general combined with consistent cyber threats, the demand is surely there.
Olivia Rose, Kudelski Security director of global risk solutions, knows that all too well. The latest statistics suggest that there is only around 10 percent of women in the cybersecurity field in the US and even fewer worldwide. Though she fell into cybersecurity by chance, she hasn’t turned away in almost two decades. Speaking on the Security Boulevard podcast CyberSpeak, Olivia delves into a multitude of topics surrounding her experience and the growing number of women in cybersecurity.
According to Olivia, there are two sides to security:
The highly technical side. if you actually are interested in coding, encryption, technology, penetration testing, etc., go for it.
The strategy and governance side. This is becoming recognized as even more critical than the technology side at times. You help develop the programs, strategy, and find the gaps in existing security programs to help companies effectively defend themselves. This requires a high degree of listening, communication, and creative thinking skills – ALL SKILLS women tend to be good at. It also involves partnering with Executives and Sr. Management of companies which need these skills, which women tend to be strong at, to partner with.
You can listen to the podcast by clicking the play button below.
Olivia has some additional advice for women who may be considering diving into cybersecurity:
If you want to get into a field which holds unlimited potential, especially for women, security is it. We need more women (and we need more people in general).
The industry needs the skills women tend to be strong at, they shouldn’t be scared to enter into the field. Some of the most successful security consultants, salespeople, and execs I’ve ever worked with have been women because they’ve leveraged their gender skills.
Women need to change their perspective of what security is and what is needed to work in the field.
Yes, it’s a highly male-dominated field and you will face situations where you are made to feel less important than and/or uncomfortable. But this is also why we need more women in this field, to even out the playing field and support each other.
Views on women in the field are changing and becoming more accepting, so it is less harassing than it was ten years ago, but be ready for certain situations which you will encounter.
Authors, Julien Gibert, Executive Director, PageGroup and Martin Dion, Vice President of EMEA Services, Kudelski Security
According to the Michael Page Swiss Job Index, there is a record demand for IT developers. Between June and July 2018 the demand for such positions increased by +18.5%. This compared with a decline of -4.9% in all jobs advertised in Switzerland over the same period. Based on the frontline experience of Kudelski Security and Michael Page, we outline four key ways of attracting and retaining talent in this market:
Provide Projects where They will learn and grow
Projects are the key drivers for attracting and keeping talent – not salary. Developers like to work on new tools. They want projects where they can learn and grow and preferably influence the choice of technology. Developers like change more than most other professionals. They typically work on an 18 month – 2-year framework and are totally connected, via various IT communities, about where the next interesting projects are on offer. For this reason, employers need to communicate the benefits of their projects e.g. in terms of technology, project management and potential people management skills advancement. They also need to stay close to their developers, show them that they are interested in their career progress, ask them what they would like to work on next and let them know that there are new projects available for them – but not so far from the end of a project that they lose focus.
Flexibility is a key driver to attracting and keeping talent in this field. The ability to organize their time is extremely important to developers. Employers need to be flexible with working hours as well as location. This includes allowing them to work on weekends rather than certain weekdays, enabling them to work from home and being prepared to have them work from different locations. For example, if they’re based in Zurich and don’t want to move to Geneva, then that needs to be accommodated. Given demand exceeds supply for developers in Switzerland, employers also need to be prepared to relocate talent from wherever they are.
Compromise on Skill Sets
If a candidate has 80% of the skills required for a job and is willing to learn, then be prepared to make them an offer. Skills in this field are quickly outdated and good candidates will have 2-3 offers at any one time. So employers need to find them when they are available and quickly make them an offer. Job descriptions with too many criteria will significantly reduce the chances of filling such a position.
Look beyond the IT profession
Recognize that certain roles can be staffed by professionals outside of the IT/development field. For example, when a financial institution is building a new tool, they need people who understand the business. These roles are typically known as “business analysts” and are filled by people from other disciplines (e.g. finance, HR, sales) who understand the business and like IT projects. On the consulting side, lawyers with IT practice backgrounds have also proved successful because they are typically good at negotiating and communicating the risks and benefits with clients. So be prepared to look to people who understand your business, can deal with business partners and clients and have a cultural fit to the organization and project team.
The shortage of developers will only become more pronounced in Switzerland in the near future as demand grows and the supply cannot be met from the Swiss workforce or graduating institutions. It is therefore important to remember that we are not Silicon Valley with a huge number of developers and be prepared to follow the 80/20 rule.
As a refresher, what is the problem in a nutshell?
Security risks now have board-level attention and CISOs struggle to present information about their security program in ways decision-makers can understand.
They need a single solution that allows them to programmatically plan, execute and measure their programs, and the means to show their boards and executive peers the relevant metrics to justify plans and investments.
The challenge, however, has always been creating a centralized view and providing meaningful information that non-technical professionals, such as business leaders and boards of directors, find meaningful.
What is the solution?
The solution is to have a central place for all the relevant data, including plans, priorities, maturity metrics, risks and more. From there you can get a comprehensive view of the whole security program or target individual areas to present just the information of interest to the organization’s leaders.
This would provide the platform for CISOs to track investments, measure and articulate risk, track progress, and translate comprehensive technical information into something that is meaningful and actionable by business leaders.
What does Secure Blueprint look like?
Secure Blueprint is a unique SaaS solution that utilizes the most common maturity and control frameworks and provides the technical depth to manage that goes above and beyond traditional executive cyber reporting.
The software has been designed to give the user a one-of-a-kind experience, delivering business-focused analytics, initiative tracking and dashboards that keep track of your defined key performance indicators. With just a click, you’ll have all the information you need to assess risk, potential risk, set maturity and goals for all aspects of your program.
Secure Blueprint is a way for CISOs to drive continuous improvement with the end goal of being able to clearly communicate business-focused priorities and outcomes. The platform automatically generates dashboards to track specifics and used during presentations to boards and committees to show your program state and goal. We are able to clearly show the past, present, and future of your program maturity based on control frameworks. This includes analytics integrated with cyber business maturity benchmarking to ensure the CISO can not only identify program gaps but also guide investments.
No more manually created charts, no more multi-tabbed Excel sheets, Secure Blueprint is intuitive and easy to use so that you can be confident in showing your program to the board.
What are some key attributes to the program?
According to Gartner, CISOs need dashboards that cover a wide range of aspects. Secure Blueprint is a comprehensive program management platform that includes dashboards. It provides easy visibility into program maturity, program roadmap, initiatives management, investment management, cybersecurity program component heatmap and component management dashboards. Currently, CISOs are forced to build those out manually. Secure Blueprint does all this for them.
The integrated dashboards allow visualization of all these aspects and more. With just a click of the mouse, they can see every relevant detail in a manner that is easy for anyone in the organization to understand, therefore justifying the costs associated with their cyber program.
Interview by Maxfield Barker, Sr Marketing Coordinator, Kudelski Security
Pressures facing security leaders continue to increase. More frequently industry leaders are focusing on the role of CISO as a risk management business executive, not solely a security leader. CISOs need to drive and communicate on a program that is aligned with the overarching business objectives and risk appetite. With the myriad, ever-evolving elements of a comprehensive security program and associated risks, this is a tall order. Modern CISOs need new software to facilitate these challenges. Thus, the invention of Secure Blueprint, a cyber business management platform for cyber leadership.
The following discussion with John Hellickson, vice president of US services at Kudelski Security, describes the driving need and rationale for this new category of security product.
What is Secure Blueprint and where did the idea come from?
Secure Blueprint is a new innovative approach to designing comprehensive, agile, and business-aligned security programs by Kudelski Security. It includes software that enables the CISO’s plan, execute and improve programs, keeping alignment with business objectives. It delivers metrics that demonstrate program maturity, areas of priority and risk, so smarter investment decisions can be made, and creates dashboards to enable risk-based story-telling conversations with boards and executive peers.
It’s a well-known fact that boards are being asked to know more about cyber issues, while CISOs are challenged discussing those needs with the board in a way that instills confidence in their security program.
CISOs must now think more like a CEO than ever before, as cybersecurity treated as another IT function has proven to be limiting when combating today’s advanced threat landscape. Cybersecurity is a critical concern for business and executive leaders at the highest level of all organizations and governments, therefore, bridging the gap between business objectives and prioritizing security investments is essential.
Recently, C-suite and boards are expecting more of their cyber leadership in communicating the value of selected security investments by progress improvements and reduction in business risk as outcomes. This trend is indicative of the desire by the C-suite to learn and increase support for the CISO role to prevent a cyber attack. Therefore, CISOs need to develop executive presence, change their mindset and approach, demonstrate decisiveness and agility and speak in a language that C-suite understands.
What is the biggest challenge you are addressing?
It’s hard to effectively plan, budget and justify investments if you can’t measure the maturity of your programs and the progress made. And if you don’t have this knowledge, how can you gain the necessary visibility for achieving your strategic goals? And with no ability to understand where ongoing gaps exist and demonstrate progress, how can you instill confidence in your security program and strategy with business leaders?
What does the board need to know?
Well, let’s start with what they don’t need to know. Overly detailed answers that delve into day-to-day security operations may overwhelm or frustrate the board. Unfortunately, this is what CISOs have traditionally provided due to technical backgrounds.
What boards actually need, is for the CISO to articulate relevant security threats to the organization and industry. Boards want a clear sense of cyber program target maturity and how the CISO is closing the gap. In order for CISOs to deliver this kind of information, they need to convey and be ready to communicate the following information:
State of cyber program maturity and roadmap
Top Industry Threats & Trending
Priority 1 Initiatives & business outcomes
High-Level Business Oriented Cyber Risks
Timely related incidents and organization impact
…which is exactly what our Secure Blueprint platform provides
So, Secure Blueprint goes beyond just board reporting to helping the CISO with a structurally different approach to building and executing their security agenda.
Board reporting is crucial, though, and can be one of the most difficult aspects to master, for any CISO. But more importantly, you need to both run your cybersecurity program as a business and articulate this in the framework and language that business leaders understand.
Gartner summarizes it nicely in this article, by stating: “Organizations need to develop a strategic planning capability that enables the organization to develop and refine a roadmap of investments that recognizes a continuous change in the business, technology and threat environments.”
Cybersecurity is still a relatively young field, where evolving threats keep best practices fluid; where the intense pressure to deliver grows constantly and where company culture and industry context matter greatly. With so many variables, how can cyber leaders chart a path to success in today’s CISO role?
The solution is to run cyber programs like you run a business. Think of your cyber portfolio more as a business portfolio. Your board will want to know if your cybersecurity initiatives align with the enterprise’s objectives. The CISO needs to measure cyber security program’s success. You can do this by blending and measuring qualitative and quantitative risk along with program maturity. The CISO also needs to know what the best investments are that make the most of the cybersecurity program. These are some of the things that every CISO should have on their mind and be able to communicate on a regular basis.
Put simply, the outcome should be the ability to present a cybersecurity program strategy and progress status to C-suite in a communication method that resonates with an executive audience.
In the first part of this series, I introduced the research Kudelski Security did on the subject of board communications and metrics in collaboration with our Client Advisory Council. The report is available in full here, but as with all meaty reports there’s a lot of content, so this article seeks to cover some interesting insight that didn’t make the final cut.
There were a few questions we explored in depth, based on a response from an initial survey on frequent questions CISOs are asked by the board.
The full list of questions that formed the basis of our research is listed below:
The broad consensus from our Council Members was that this question: “Are we secure? How do we know” was the most challenging and frequent question that boards ask CISOs. As with all strategies, there was not a one-size-fits-all approach, so the report ends up offering a range of strategies that need to be evaluated and implemented based on your unique organizational profile and board requirements. Worth noting that CISOs spend an average of 10-20 hours preparing their response to this question, so in the interests of saving time, it’s a useful question to consider.
Here are five key takeaways:
One fortune 500 CISO suggests this is not a simple black or white answer as there is no such thing as 100% secure; we are always going to have more vulnerabilities, as the threats constantly change. He prefers to talk about security as a journey using a maturity model, a framework to measure progress.
It was commonly agreed that this question needs to be bridged to an industry framework; the board needs to understand that you are measuring and aligning the maturity of your company’s capabilities to what the industry norm is.
Start by presenting the cybersecurity maturity model – a best practice framework for your industry (like NIST CSF, ISO etc.) you are aligned to – and show where you’re at today on that journey, ultimately according to company’s maturity goals.
Continue by presenting where you want to get to and pivot your answer to a risk management discussion by showing the level of current risk. You should be able to explain the board if this level is above, at or below the company’s risk profile, risk tolerance, or risk acceptance levels.
Next, show the board how you reduced risk of compromise to critical assets using metrics that attest to improvement trends, as it is key to validate your state of security. Provide direct, fact-based answers that you can validate with metrics, such as event monitoring results, or with third-party audits. One of our CAC members, a CISO in the Computer Hardware industry said:
“Always have data to back up your recommendations. Stay away from opinions”
What was a particularly interesting outcome from our discussion with the Client Advisory Council CISOs was that a key metric and focus for the CISO must be the ability to respond and recover from attacks, and not just any attack, but the more targeted attacks.
This is a good way to confirm the defenses are operating well. As Pete Naumovski, VP and CISO, BCBSA states: “in a perfect world, the absolute metric for a CISO to have is the MTTD / MTTR of a more targeted attack”. Or as Ginny Davis, CIO and CSO Technicolor puts it: “Your ability to respond and recover is equally important to how secure you are”.
And while we are on presentations, here is a summary of the top-5 presentation tips:
Keep the same format for each board presentation, a focused message on each slide and leave plenty of white space
Use a heatmap to demonstrate risk drivers or a spider graph to show multiple data points
Keep the message on each slide focused and leave plenty of white space
Show progress over time, including trends, outcomes, and risk reduction
Show improvements inability to respond and recover from an attack with examples of dwell time reduction for threat actors like phishing or malware.
Read the full report and get Enterprise CISOs perspectives, examples, meaningful metrics and a range of strategies to prepare CISOs for the challenging questions from the Boardroom. Look out for part 3 of this series for a more detailed focus on peer comparison.