How to Align Application Security with Business Goals

How do you measure your success? The board asked that question in my first CISO role. My metrics, up to that point, had been very tactical and cyber-specific. Blocking these ports, managing IAM programs, and building out the SOC are all good and necessary things to do. However, it is different from what a board and executive team understand. So, I had to develop an understanding and a process to measure what I do and my team. Here are two areas that have been the most successfully measured metrics for me:  The emphasis is on proactive rather than reactive strategies. Proactive Strategies:  Metric: Time Taken to Detect Vulnerabilities Example: Implement continuous monitoring and advanced threat intelligence systems to reduce the average time to detect vulnerabilities from 10 days to 2 days. Metric: Success Rate of Simulated Attack Drills Example: Achieve a 95% success rate in simulated phishing attack drills within six months through regular training and awareness programs. Metric: Implementation of Advanced Threat Intelligence Systems Example: Integrate a new threat intelligence platform that decreases false positives by 30% and provides real-time alerts to preemptively counter potential threats. Integration of cybersecurity with business goals. Effective CISOs must demonstrate how their security strategies support business continuity, enhance customer trust, and contribute to the company's financial health. Integration with Business Goals Metric: Cost-Efficiency of Security Measures Example: Implement a new firewall system that reduces annual security-related costs by 20%, demonstrating cost-efficiency and effective resource allocation. Metric: Impact on Customer Satisfaction Example: Increase customer satisfaction scores by 15% through enhanced data protection measures and transparent communication about cybersecurity efforts. Metric: Return on Investment (ROI) for Security Technologies Example: Show a 150% ROI on the newly deployed security infrastructure by reducing downtime and preventing data breaches, thus saving the company $2 million annually. How do you measure or how do you think security programs need to be measured Here are 3 things to consider this week: Implement Continuous Monitoring: Adopt advanced threat intelligence systems to reduce the average time to detect vulnerabilities from 10 days to 2 days. Enhance Simulated Attack Drills: Aim for a 95% success rate in simulated phishing attack drills within six months by conducting regular training and awareness programs. Integrate Cybersecurity with Business Goals: Demonstrate cost-efficiency by implementing a new firewall system to reduce annual security costs by 20%, and enhance customer trust by improving satisfaction scores through better data protection measures. What else would you add? #CISO #Cybersecurity #CIO #CEO #Board  { John Felker } Ronald N. Christopher Skinner Evie Manning

Some hard truths around being a CISO today. Over the past 20 years, I continue to witness two predominant paths across multiple industry segments. (there are more, but these have been the most predominant) Path 1: The Business Path Leading authentically with a committed understanding of building, maintaining, and optimizing security in support of business services and/ or products that support profitability and growth. Security in support of the business in simple terms. This is not to be misunderstood as acquiescing to business needs for lesser security or lowering the security thresholds. It means to truly build a program that understands how the company makes money and helping to implement a layered approach of controls that ensure the resiliency of the business. Path 2: The Power Play The other path is focused on self-preservation in the CISO-sphere of industry circles and appearing to implement security while simply setting up a smokescreen of dashboards and reports. Strategies described by a roster of security products is a tell-tale sign of these path takers. Many that embark down this road are wooed by marketing/ sales ploys from cybersecurity companies that spin security tools as impenetrable solutions while not really considering today's desperate needs on security workflows, org level threat models, a funneled approach to risk management, and centralized governance. The CISO seat is a hot one. Ever changing attack surfaces, emerging threat patterns, regulatory hurdles for product assurance, uncooperative internal audiences, becoming the instant scapegoat for any future breach ... the list is extensive and overwhelming. All of these things and more can easily work against maturing ANY security program or product suite, regardless of the path. However, when it comes to picking a path, stick to Path 1 - the Business Path - as it will anchor your ability to architect the right processes needed in concert with the right solutions needed to make for sustainable growth and change. Path 1 most importantly increases the opportunity to truly build a sustainable #securityculture, whilst Path 2 merely creates a facade that is often discernible by internal customers of security groups. Choose wisely. #ciso #cybersecurity #leadership #securityprograms #infosec

I was recently teaching a class in Washington DC. About halfway through the class a student, let’s call him Anders, shared an interesting story. He said that all the security leaders at the large, global technology company where he works had a two-day offsite where every security leader was asked to present about their security team for 15 minutes. Anders said that every single presenter got crushed. Senior leadership picked apart every single presentation with a variety of questions. Every single person got hammered. All except one. After the presentations Anders couldn’t figure out why that one person did so well. He racked his brain but couldn’t quite piece it together. This brings us back to Washington DC where Anders and I were now halfway through class. After sharing this story he said the tools and topics we had discussed so far helped highlight exactly what his colleague did right. In 15 minutes the presenter shared just three slides: 1. Business objectives 2. Crown jewels 3. Roadmap He started with a clip of the CEO saying that security is a top priority and the reasons why. Then he discussed the most important assets and process for the company and his specific business unit. Finally, he shared his team roadmap noting there were a lot of details on the slide but gave a high-level overview describing how these activities protected the crown jewels and aligned to business objectives. CISOs and security leaders are under increased scrutiny and pressure, not only from internal leadership, but also from external requirements like the new SEC rules and NIS2 changes in Europe. There’s also a need to keep up with new technologies like Generative AI (GenAI) and Large Language Models (LLMs) to understand what policies and procedures need to be put in place. It’s exactly these topics that we cover in LDR514: Security Strategic Planning, Policy, and Leadership and the corresponding GSTRT certification. Thanks to CSO Online for recently including the GSTRT certification in the list of five certifications that can boost a cybersecurity leader’s career. https://lnkd.in/g84zVM3W Also, if you want to get ready for your next 15 minute executive presentation and see what you should have in your plan you can check out a free demo of the LDR514 class at sans.org/ldr514 #cyber #security #cybersecurity #ciso #cisolife SANS Security Leadership