CISO Guide: How to sum up your work for your CIO

In this latest article from the ‘CISO's guide to’ series, we show CISOs how to sum up a year’s worth of activities for their CIO.

"Start with a fresh page. Take up one hole more in the belt buckle if necessary (or let down one, according to circumstances). But on the first day of January let every man gird himself once more, with his face to the front, and take no interest in the things that were and are past."  — Henry Ward Beacher.

Wise words indeed for a new year. But we’re not quite there yet.

At this time of year companies up and down the country are preparing the annual report and accounts and inevitably it's time for the CISO to take stock of the year that was. Especially if your CIO (or CFO or CRO) is asking for your account of the past year.

So what markers of progress will you be scribbling down when looking back over the last 12 months? And how will your scorecard be graded?

What not to write

What we want is a business engaged and eyebrows raised. So let me start by stating what I would not report to my senior manager:

• Numbers that have no heft: Many a worthy-looking line-graph or pie-chart can be built from numbers like training completion rates, phishing click-throughs or reported number of incidents. But peel away the ‘on-brand’ graphics and is there still meaning there? Does training completed equate to behaviour changed? Does a reduction in click-through rates matter when it only takes one click for a compromise? And do more incidents reported make for more actionable intelligence or more time-consuming data-wading for your team? In short, do they pass the ‘so what?’ test?

• Security standard stand-ups: You’ve nailed NIST, implemented ISO 27000 and conquered COBIT 5. These are undoubtedly achievements worth flaunting by every CISO and are fantastic way-markers on your journey towards cybersecurity maturity. But what does standards adherence matter if you can’t show effectiveness? Can you express what compliance means in hard cash terms?

• Too much tech-control snazz: Whether it’s deploying an AI-enhanced DLP tool, weaving cloud access security brokers into access management, or taking zero-trust approaches to server workloads, 2018 has seen no shortage of snazzy technological solutions to ease the CISO’s burden. If you’re successfully sharpening that cutting edge, why not shout about it? The problem is, no matter how powerfully relevant these solutions are, will they be understood by those outside the tech-literate bubble? Perhaps this is where you need to keep the ‘gee-whizz’ to your team and concentrate on what how this matters to the business.

Make it business-relevant

OK, so that’s a slew of red lines drawn through some reporting staples. Now, how are you going to make sure that your end-of-year report isn’t scrunched up and heading for the recycling bin?

By placing the focus on what really matters – how much progress you as a CISO have made in 2018, in business-relevant terms:

• Numbers that matter: If you’re going to report on your colleagues’ behaviour, try digging a little deeper to get more meaning into those metrics.

• Talk of the town: Culture change comes not through compliance, but through conversation – when people in your organisation talk about information security, they own rather than disown it.

• So, tell the story of that conversation in your report. How many times has infosec been on the board’s agenda? What questions have they asked that have helped to sharpen your focus on delivering business value? Which business functions have been engaging with you as solution partners rather than a place to pass the buck to?

• Pivot to the problem: Getting to the nub of issue for the business is critical, if your report is to be read beyond the usual suspects. And in 2018, the fundamental business value that changed for the CISO was not avoidance of a breach, but resilience to it. We’ve shifted from ‘if’ to ‘when’ and must show proficiency at managing the impacts.

• That means reporting progress on critical aspects of incident management is vital – such as time from alert to triage, or time to notification for the kinds of incidents that set off the regulatory alarm bells at the ICO’s office. Include your full-spectrum simulation exercises in those numbers, too. After all, practice makes perfect.

• And don’t forget the value of your ‘human firewall’, the first responders whose early reporting is so vital to hack back dwell time. Demonstrating that staff responses are measured and understood, whether via ethical phishing or

survey

benchmarking, is a crucial part of reporting on your organisation’s

resilience – or fragility.

The return on investment

In the end, I think what’s important to remember when reporting ‘up the line’ is return on investment and, crucially, that RoI is specific to your organisation.

Concentrate on what matters to your business. And never forget that dollar-driven metrics are what turns on senior management.