In the 2013 Gartner CIO Agenda Report, over 2,000 CIOs were asked to rank their top technology priorities for 2013. Security was ranked at number 9 and, surprisingly, has remained static at this priority level for the past 5 annual surveys. Given that recent studies estimate that cyber-attacks are costing the U.S. economy $100 billion annually, why isn't security a higher priority for CIOs and how can security professionals change this? We know that these are top-of-mind questions for our customers and others in their shoes.
The results of the recent State of Risk-Based Security Management (RBSM) study conducted by the Ponemon Institute provides some insight; 64% of respondents said they either don't communicate security risks to senior executives or only communicate when a serious security risk if revealed. This lack of proactive communication means CIOs only hear about security when something bad has happened and don't hear about the work done to reduce risk over time. We often hear from security professionals that CIOs don't really understand security, but are we doing enough to help them understand? Clearly, security and the business need to start talking the same language and communicating regularly before they can create an effective partnership.
We asked Rapid7's own CIO, Jay Leader, for his perspective and some advice to give to security professionals facing this very issue. What are CIOs looking for in good security communications? How can security professionals get your continued confidence? And what's the best approach to getting your buy-in to new security investments? In two recent webcasts, Jay offered some honest advice about How to Skyrocket Security to the CIO's Top Priorities and How to Pitch Security Solutions to Your CIO. If you don't have time to catch the full webcasts, here's a summary of what he had to say:
How to connect security to business issues:
- Communicate ROI based on impact to the business, even if it's difficult to quantify with precision.
- Even if you could calculate how much a breach would cost, does the dollar amount really matter?
- Understand where our most valuable assets live - you need to understand our definition of valuable.
- Understand where our organization may be vulnerable, not where everyone else might be.
How to track and demonstrate security progress:
- Make it easy to see and understand what we're tracking - remember, I don't know what you know.
- Show me trending over time and not a status at a give moment to demonstrate progress.
- Be clear about what we're tracking towards - you can't measure progress without setting a target.
- One experiment is worth a thousand hypotheses.
How to get your CIO's continued confidence:
- "Trust me" is necessary but not sufficient to make me confident that we're doing the right things.
- Consistent reporting of the right things over a long time is the best measure of a solid program.
- Make commitments on performance targets, then own both the good and the not-so-good results.
- Transparency and humility are confidence-driving behaviors.