Posted by Kevin on June 10, 2015.
Business and Security are two separate breeds, divided by motivations, methods and above all, language. But while Business does not need Security to do its job, Security cannot function without Business support. For this reason alone, it is Security that must master the foreign language.
An essential part of a CISO’s job is to explain security risk to Business in order to be granted the resources to mitigate that risk. The difficulty is that Business doesn’t want to hear the message. Its view of risk is that spending x will return y. Security’s view of risk is that in not spending x it will cost y. It’s a message that Business doesn’t want to hear, and it is not unknown for a failure to translate Security-speak into Business-speak to cost the messenger’s head.
There is, however, one dialect that transcends both languages – graphics; and especially those graphics that can be tied back to one of Business’ favourite tools – the spreadsheet. Business might not want to understand the raw data that underlies security risk; but it can understand the graphics that are built upon it.
One underused example of a graphical use of spreadsheets is the matrix. And one example comes from Verizon’s 2014 Data Breach Investigations Report.
In reality this is not a good graphic. It is too complex, and it’s difficult to work out what it’s trying to tell us. It appears that ‘boundary defense’ (just below half way down) is perhaps the most implicated security failing in data breaches across the widest number of industries. But that’s not going to surprise anyone and it adds nothing to our knowledge. Nevertheless, the principle of the graphical matrix is clear – and that principle is good.
This one is a company specific security analysis matrix produced by a CISO in Wisegate (and shared with other members). It can’t be shown in any detail, obviously, but the blurred image on the right will give the gist.
The CISO who developed this matrix had been asked by his CEO to explain why Security needs so many products, and the CISO had sought some way to demonstrate security simply, visually and with immediate impact. He chose the matrix. He listed attack vectors as the vertical matrix (with the most dangerous at the top), and security products and processes as the horizontal axis.
At every intersection of threat and product he provided a score based on: designed to stop this threat; has some effect on preventing this threat; has no effect on preventing this threat. The colours use that score in the traditional red (warning, little effect), amber (OK, but could be better); and green (pretty good).
Two things immediately and visually leap from this graphic: predominantly green rows show that protection against those threats is strong; predominantly red rows means that you have little overall defense against that particular threat. Similarly, green columns indicate an effective product or process, while red columns indicate that this product is perhaps past its sell-by date.
The point, as the CISO said, was not to provide answers or solutions, but to engage Business in conversation. He found that the presence of red rows immediately drew Business into asking questions about the nature of the threat and the risk it posed. Once that interest is engaged, the CISO ceases to be the harbinger of bad news, and becomes an equal partner discussing problems and solutions.
Overall, two things are worth considering. Firstly the principle behind this matrix is very simple and very subjective: it’s just threat Vs defence as you see it in your company. You can keep it simple or introduce as much greater sophistication as suits your purpose. Secondly – you don’t need to limit the principle to this subject. You could use the same principle to determine which Security Framework best suits your own organization, to measure spend against policies, to plan security staff training based on strengths and weaknesses in different areas – in fact, the use of graphical matrices is limited only by your own imagination.
But the important point is that it provides an easy bridge between Security-speak and Business-speak – and it could be the device that helps you keep your head.
Insights is a unique commentary inspired by and drawn from the peer-to-peer conversations of some of the most senior CISOs and CIOs in the world. All are members of the gated Wisegate community where they meet virtually to discuss issues and problems in information security.Submitted in: Insights |