Security leaders wanting to improve cybersecurity adoption should employ practical security metrics and relatable business language that executive decision-makers can understand.
In Learning Security Metrics, available on LinkedIn Learning, Caroline Wong, Chief Strategy Officer of Cobalt.io, recommends changing how we talk about security.
Drawing on her 14-year career in the infosec space, including authoring two cybersecurity books, Caroline presents three challenges and a straightforward way to build a business case for investing in cybersecurity.
Here at Integris, continuous learning is a big part of our culture. Our leadership encourages the team to take advantage of all LinkedIn Learning has to offer. So far, it’s been well worth my time. I’ve been in the MSP industry since 2003, and it only took her 45 minutes to teach me a few new tricks, I can’t wait to share them with in-house security teams and C-level stakeholders that approve security budgets.
Cybersecurity Adoption Challenge #1
Using the term “best practices” doesn’t instantly increase cybersecurity adoption because many stakeholders are unfamiliar with security best practices.
While tying best practices to their related compliance frameworks is intuitive, practical, and advisable, in-house IT, MSP vCISOs, and vCIOs should focus on objectives and results.
When security advocates lead with their understanding of how the business works, they build a convincing case to demonstrate how adopting a security program will reduce the company’s risk.
Here’s a hypothetical vCISO recommendation to a C-Suite sales leader: “Since 80% of our sales team opens ethical phishing emails, we need to implement cybersecurity awareness training immediately. Otherwise, we could get hit with ransomware, locking most of the salesforce out of the quoting tools on the network, and destroying our Q1 revenue targets.”
Cybersecurity Adoption Challenge #2
There’s no evidence to fuel cybersecurity adoption if executives don’t know what IT or your MSP is doing to protect enterprise value.
Relevant stakeholders want security professionals to share more information more often. While in-house security teams and MSP engineers may be actively monitoring, managing, and securing your IT systems and users, effectively communicating the value of these activities requires a different skill set.
The expression success is defined by a series of non-events is not valid here.
Caroline notes, “If you’re doing the best work in the world, but no one knows about it, that won’t help you and your team get the necessary budget you need next year to keep funding your activity.”
While Integris is not officially endorsing this particular cybersecurity incident management report sample template, we recommend creating a reporting process and format to document program success.
Cybersecurity Adoption Challenge #3
To increase security adoption, vCIOs and vCISOs need to strike a healthy balance between total secrecy and transparency.
Save total secrecy for the Free Masons and selectively share details illuminating how security contributes to mission fulfillment.
Caroline recommends, “Share information early and often and ideally in the context of how the security team’s work is positively impacting the company’s risk posture. Put another way, how is a security team protecting the value created by the organization?”
A CFO and other asset owners appreciate concise information aligned with a clear business rationale:
- “We employ a layered cybersecurity solution including Password Management, Multifactor Authentication, Single Sign-On, Managed Detection Response, Cyber Security Awareness Training, multi-cloud network access, and SOC 2 Type II cloud applications, with redundant Backup and Disaster recovery at geographically diverse data centers.”
- “This set-up keeps our chip manufacturing production uptime at 99.999% regardless of cybercrime, floods, fires, and other acts of God.”
Improve Security Adoption with Two Security Metrics
Improve security adoption with a two-part scoring system. The first is a ratio of internal versus external incidents detected. The second is a security version of the popular Net Promoter Score.
Internal Versus External Incidents Detected
Security incidents are so common these days none of us can keep up with the news headlines.
For this reason, your internal security team or MSP should focus on incidents they detected versus incidents reported by a client or third party.
If a vendor always tells you they’re getting spoofed phishing emails from your domain, your security controls aren’t working well. It’s also embarrassing. The goal is to increase the detection of internal incidents relative to outside incidents.
To produce this metric (and show your security program is worth it), divide the number of incidents detected internally by the number of incidents detected externally. Then set goals based on the maturity level of your security program.
Security Net Promotor Scores
Executives understand Net Promoter Scores (NPS) because these metrics are widely used in sales and marketing.
For example, I recently bought a new watch from Shinola. Shortly thereafter, I received an email survey asking: On a scale from 1-10, how likely are you to recommend Shinola to a friend or colleague?
Here’s how the scoring works:
- A 9 or 10 means you’re a promoter.
- A 7 or 8 is a passive score. (Kind of blah.)
- A 6 or lower signifies you’re a detractor.
Caroline Wong’s employer, Cobalt, uses four NPS surveys. Three are conventional (customers, employees, and pen testers), while the fourth asks employees for a score on the following ten statements:
- I understand the digital threats that I am likely to face while working for Cobalt.
- I am confident that I can identify a phishing message.
- I know what to do if I suspect a potential security incident is occurring.
- I am confident in explaining what pen testing is and why it is important.
- I am confident in discussing technical security topics with my coworkers.
- I am confident in discussing technical security topics with customers.
- Security is important to Cobalt’s current and future success.
- Cobalt is at an appropriate level of security maturity at this stage of our business.
- I feel confident that the Security team will support me in my security-related day-to-day job responsibilities.
- I am confident that the Security team is focused on the right initiatives at the right time.
Combining the Incident Ratio with Security NPS
This hypothetical sentence from a CIO bragging about the benefits of working with a vCIO captures the magic of using incident ratio numbers and a security NPS.
- In Q1 of 2022, our internal incident/external incident detection ratio was 5/20, and our security NPS score was 6.
- In Q2 of 2022, our internal incident/external incident detection ratio was 10/2, and our security NPS score was 9.
- We attribute the improvements to implementing Multifactor Authentication, Managed Detection Response, and Cybersecurity Awareness Training.
Strengthening Your Cybersecurity Program with Relatable Metrics
To strengthen cybersecurity adoption in your organization:
- Focus on objectives and results.
- Document program success.
- Share early and often.
- Use relatable metrics.
Do you have a formal Service Level Agreement (SLA) for discovering security vulnerabilities?
SLAs are less common with in-house IT departments unless they work with an MSP.
Schedule a free consultation if you have any questions about improving cybersecurity with security metrics.