All too often security professionals find themselves in a situation where others in the enterprise question what business value cybersecurity ultimately brings to their organization. We’ve never been hacked, they think. We’re certainly not an interesting target for criminals or nation states so why are we spending so much of our budget on security? But when something does go wrong and there is a data breach in the organization, it’s the security team that is, more often than not, blamed.
In a recent conversation, this is what Darran Rolls, SailPoint chief technology and chief information security officer described for some as the unwinnable war. We discuss this precarious predicament in which too many security professionals find themselves, as well as ways they can better communicate their value to other areas of the organization.
You mentioned that security professionals seem to be in a no-win situation. Can you elaborate?
For security professionals in many organizations, perhaps most, security is almost the unwinnable war. When nothing goes wrong (what no data breach?) people question your value, but when there is an issue, people immediately question what you did wrong to allow that to happen.
Successful prevention inherently goes unnoticed and doesn’t get the recognition it deserves. This is why so many security professionals tend to rely on fear, uncertainty, and doubt to sell their programs.
In organizations where successful prevention goes unnoticed, how do CISOs better communicate their value?
In addition to the increased security aspects of the cybersecurity program, they also need to communicate the operational efficiency that can be directly associated with security and compliance. The operational efficiency that security can bring to an organization is straightforward enough for business executives to understand. Security-related operational efficiency is easily gained with identity governance and the process of ensuring the right people get the right access at the right time. Provisioning and account lifecycle management helps drive increased automation and self-service which means the right people get the right stuff faster. Helping the business to better understand how security delivers operational efficiency is key to a successful Identity management program.
This applies to regulatory and policy compliance efforts, too. Compliance is a mandatory business requirement that so often does not drive recognizable business value. Our job is to change that and to find ways to enhance business agility whilst delivering sustainable controls and governance.
Being able to quantify security value seems challenging, and I think this is one of the reasons why so many rely on fear, uncertainty, and doubt (FUD).
It is, but the business today doesn’t want or need FUD. There’s enough uncertainty in the world today as it is. The focus needs to move towards managed risk and quantifiable business outcome. Sadly, so many of us have to fall back to the FUD train in order to have the business prioritize security over some other business driver or product feature that is more directly attached to revenue.
Of course, it’s not easy to quantify the cost of being insecure because it’s challenging to quantify the cost of a breach. If you look at the breach insurance industry, which materialized about 2 or 3 years ago, even their actuaries have a hard time really quantifying security in meaningful business terms. It’s one of the reasons why it’s so hard to sell security spending to management. So rather than focus on FUD, focus on operational efficiencies and overall system lifecycle benefits, as well as breach-related cost avoidance.
Do you think there is over-exposure to cybersecurity today and does that create a situation where enterprises reach security fatigue?
At a board level, cybersecurity is still not a mandate for far too many companies. Yes, with so many data breaches in the news, its no wonder there’s a little “breach fatigue” out there. After all, prevention is certainly ideal, but organizations have to invest in detection and response too. Because data breach inevitability is clear to everyone, it will be those organizations that prove their ability to detect and respond appropriately to a given vulnerability that will be viewed in the most positive light. And so, while the security war may not be winnable – or maybe never-ending, it certainly can be made more valuable and manageable. Through careful alignment of prevention, detection and mitigation strategies with measurable and tangible business values, we’re at least driving the conversation in the right direction.