CISOs face the continuing challenge of how to clearly communicate information security risk to the board and senior management. But now they can take advantage of a free metrics framework designed to help evaluate an organization's cybersecurity readiness.
UK-based ClubCISO, an independent forum for security leaders, developed the framework through its Metrics Project, and now hopes to gain feedback as it's put to use globally, says Phil Cracknell, the group's founder.
CISOs' ongoing use of homegrown metrics or standards, such as the ISO/IEC 27004, often comes up short when it comes to explaining cybersecurity in terms that senior management and the board can understand, Cracknell says in an interview with Information Security Media Group.
"Most CISOs by their nature want to demonstrate that they are effective. But they can't do that in the absence of incidents," he says. "So in the meantime time they are trying to demostrate that the defenses that they have put in place are working. And the only way to show that is through some kind of report or metric."
CISOs often scramble to generate these reports because the management wants some kind of performance indicator for security. For instance, CISOs spend days producing reports, such as the number of virus attacks per month, which take effort but are of no interest to the board from a business perspective, he says.
So a group of CISOs at ClubCISO have been working on the group's metrics project for nearly two years. The CISOs developed a standard set of metrics that is geared at measuring parameters that matter to the practitioner. Practitioners can use the tool to score their organization's cybersecurity and provide a clear assessment of security effectiveness in the organization to management in terms that resonate with them best..
Earlier attempts to develop similar metrics frameworks have involved too much interference from groups with vested interests, such as vendors, analysts and consultancies, Cracknell contends. "While practitioners just want these units of measurement to make their jobs easier, the involvement of other parties pursuing their own interests usually steers these discussions in a different direction," he says.
Another challenge has been the way in which practitioners have tried to communicate with business. Attempting to educate board members about technology and security is the wrong approach for a CISO to take, he believes. "You need to simplify what you are saying to them down to a language that resonates with them, not educate them - because boards already have too much to do," Cracknell says.
In this exclusive interview (see audio player below image), Cracknell discusses the challenges CISOs face in measuring the effectiveness of security and how ClubCISO's Metrics Project can help. He addresses:
Mistakes CISO are making when using information security metrics; How to speak in a language that gets management's attention; The results of ClubCISO's Metrics Project.Cracknell, founder and facilitator at ClubCISO, has worked in information security for more than 25 years, including serving as CISO at Yell, TNT Express and Nomura International. Now an independent security consultant, he provides "virtual part-time CISO" services to several businesses, including Company85, where he heads up the security and privacy practice.