I once had a meeting with my CFO to talk about security. As you might expect my goal for the meeting was to start to get her buy-in on our security business case. Just a few minutes into the meeting she stopped me and said, “Frank, we get it. We know that cybersecurity is important.” I was beginning to feel that this meeting was going in the right direction. Then she said it. The dreaded “B” word.
She continued, “BUT, what we want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’”
These are the questions that Boards and C-level executives are asking of their security leaders. How can you get ready to effectively answer these questions?
1) Choose a Framework
Select an industry recognized framework that will help you frame the work of your security program. Using a framework like the NIST Cybersecurity Framework helps simplify the complex world of security in a way that can be more easily consumed by business leaders.
2) Measure Your Maturity
It’s not enough to simply use a security framework. As you implement various controls make sure to baseline and measure maturity of your key security capabilities. That way you can show progress over time.
3) Benchmark Against Industry Peers
In an ideal world you might be tempted to achieve the “best” security possible. The reality though, as my CFO pointed out, is that the amount a business should invest is relative to its risk profile. As you improve your maturity identify how you are doing in relation to your industry peers as one point of comparison.
4) Set a Target
If you happen to be the on the high end of the maturity spectrum you may decide to compare yourself to another more mature industry as a stretch goal. Even if you stay within your industry for comparison purposes make sure to set a maturity goal for your security program that is based on a deep understanding of business risk.
5) Measure Your Effectiveness
Even with a framework, maturity model, benchmark, and goal in place there’s still one big question remaining. Are you utilizing your limited resources effectively? As you deploy, maintain, and operate your security program make sure you show that people, process, and technology are actually working as intended.
Don't let the dreaded “B” word derail your efforts. Do these five things and you just might be able to head off any objections at the pass.