Last Updated: 19th May, 2020
Security First Business Priority: Security teams are struggling to stand out, as organizations are increasingly inundated with requests for resources to help focus on improving business processes. Occasionally unable to demonstrate their expectations efficiently, and how they can contribute to the company’s collective good, they occasionally lose out to their organizational contemporaries.
As most cybersecurity professionals find, management typically isn’t able to identify a direct connection between business performance standards and security results until the worst happens – a data breach. Consider incidents of recent history. Most could have been avoided if only the correct protocols, tools and practices had been set in place.
Without the funding – and ultimate acknowledgement – from the executive level, more data breaches are inevitable. However, there are four major talking points IT teams can better address to prevent a catastrophic cyber incident before it’s extremely late: the outcomes, value, effectiveness and efficiency of a successful security first business program.
Four Security First Business Priority Strategy
Security First Strategy 1: Outcomes
Before teams indeed begin to seek investments, they must comprehend a standard language to appreciate what the business needs. Outcomes represent a plainly worded intent supported by a metric and includes any relevant qualifiers.
An example outcome statement for an early maturity security first business program might be, “Mitigate the number of workers and business operations affected, such as ransomware, in the instance of a hack.” The achievement is clear, the metric is clear and there is an example threat.
Outcomes constitute the foundation upon which you can build value, effectiveness, and efficiency. They represent the bridge that describes the gap between business and security first business.
Security First Strategy 2: Value
The business value that security brings to the organization is risk and impact reduction. The security first business program exists to reduce the risk that a threat will disrupt business operations and limit the impact of a breach when it occurs.
One of the most poignant points to make right at the beginning represent the detrimental, negative impact a cyber incident could have on an organization – especially regarding the reliability and availability of daily business operations. This will establish the initial risk score.
The second point to make is the impact of unmitigated cyber breaches. Consider analyzing recent examples of data breaches at similar companies and discuss the financial and reputational effects they had. It’s substantial to illustrate precisely how much not having financial or technical resources – or even staff – dedicated to security can seriously hurt them. This will establish the impact the business is willing to accept.
From there, provide visibility into how specific security practices and technologies can reduce risk and limit impact. For example, investing in email threat prevention technology will reduce the risk of falling victim to credential theft, unauthorized financial transactions and industrial espionage.
Investing in endpoint detection and response technology, a trained SOC and incident responders will reduce the impact of those same threats.
Value doesn’t stop at investment. Business partners will want to envision the return on their investment. They will look for metrics that demonstrate effectiveness and efficiency in attaining the risk and impact reduction you promised.
Security First Strategy 3: Effectiveness
To better address the effectiveness of investments, it’s crucial to establish an agreed upon outcome of the investment. Consider it a contract, and it should be specific. In conversations with customers and partners, the number one outcome companies desired from this security first business programs endure the ability to minimize the likelihood of threats going undetected and an environment being breached.
To minimize the likelihood of threats going undetected, best practices indicates applying layers of preventative controls, threat prevention and detection technology, and skilled staff. Initial metrics can be reported on achieving those steps.
To further demonstrate the effectiveness of these layers, consider implementing the MITRE ATT&CK framework to demonstrate how many attacker tactics and techniques that can be detected.
To minimize the likelihood of an environment being breached, best practices indicate user education and a threat hunting program to be effective solutions. Measuring the effectiveness of user education can be measured through training completion rates and failures in testing (like spear-phishing testing).
Threat hunting programs can measure the number of completed threat hunts, the number of new threats hunts and other significant findings.
Security First Strategy 4: Efficiency
Once the value and effectiveness against the business outcomes has been obtained, the next is efficiency. It is intentionally placed as the last metric for good reason: security teams cannot mature what they don’t retain. Establishing the controls and measuring their effectiveness against the threats that are targeting the organization will inevitably be mission number one.
Efficiency is about cost and time savings in delivering on the outcomes. The greatest cost of any security first business program is the people, so we can employ time to complete processes as the sole measure. The measurements here are often in line with other standard business efficiency reporting. There are steps in a process, and each step is measured and recorded, and once all the steps have been completed and the outcome achieved, sum up the steps as your efficiency metric for that outcome.
At some point, requests for staffing will be denied. This is the time to review your processes and efficiency metric to determine if there is room for automation, a much less significant investment, to free up time with present staff.
It’s no secret that communicating the importance of security initiatives is a daunting challenge for professionals across the industry. When working with leadership that is constantly torn on where and how to invest resources, it’s essential for security teams provide excellent insights into cyber concerns at similar organizations, the threats constituted to their own and how their department is helping to keep the business up and running.
By communicating the outcomes, value, effectiveness and efficiency of their contributions, teams increase their chances of proving their worth, making security a business priority and implementing a successful program.