Furthermore, it would be riskier to entrust on one’s dashboards without having the reassurance offered by the indicators’ relevance and reliability. This can lead to serious loss, or even to some major incidents. The crash of the Eastern Airlines 401 in 1972 is a striking example: a simple burnt-out light bulb, that was used to indicate the correct deployment of the landing gear, mobilized the entire crew, who were unable to notice in time the alarm that indicated the plane’s drastic decrease in altitude. The plane crashed a few minutes later.

How to reconsider your indicator’s base to make your dashboards more efficient and reliable?

What are dashboards, KRI, KCI?

The dashboard is a synthetic presentation tool. Highlights the key trends used to facilitate decision making. It is a federating tool used to improve governance efficiency and is designed for everyone (not only for the CISO). Therefore, we refer to dashboards in plural. Each instance is defined by a unique perimeter, where there are specified: the recipients and their stakes, the review frequency, the associated governance, the indicators, the calculating methods used and the source, etc.

Constructing a well-defined dashboard will correctly address the business stakes of the dashboards’ users. A three-level segmentation summarizes all the requirements in an organization:

Figure 1: Typologies of cyber dashboards: uses and objectives

An indicator is a measurement that is collected, contextualized, and used to facilitate decision-making. It is implemented to answer a well-identified need by one or more departments. Depending on the purpose of the measurement, three types of indicators can be defined:

1. KPI (Key Performance Indicator): measures the performance of a department, a team, or a strategic plan. They are linked to strategic objectives to measure the effectiveness (e.g., retention of cyber talent over the year).
2. KRI (Key Risk Indicator): assesses an identified risk, quantifying its likelihood and/or impact at a given time. They are essential for accepting or rejecting a risk, and for controlling it over time (e.g., number of compromised business identifiers – account takeover).
3. KCI (Key Compliance Indicator): measures a compliance rate in relation to a standard (PSSI, NIST, etc.). It evaluates an organization’s maturity regarding to the given standard at a specific time (e.g., % of policies updated within the last year).

How to make a dashboard efficient?

An efficient dashboard will convey self-supporting messages to the recipients. To build it, one must meticulously construct reliable and high-performance indicators, as well as minimising their number. These are defined by making a compromise between:

• their relevance (processing purpose, i.e., the ability to trigger a discussion);
• their computational cost (collection time, interpretation time);
• their maintainability over time (sustainability of data sources).

Let us take an example to evaluate the effectiveness of the “security-by-design” measures, where, in this case, a relevant indicator could be: “rate of validation of the security report at the first iteration by project scope and criticality”. First, it is operationally viable (approval process provides simple data for interpretation (binary values)). It is relevant (responding to a clearly identified issue), can be easily calculated if the processes are well set up (characteristic depending on the quality of the feedback information) and it is sustainable (the approval process guarantees reliable data over time).

A deficient indicator base can neglect one of the three criteria. This can be seen in the following field: one can often observe clusters of indicators, that are inherited by tradition without any real purpose or without responding to an outdated need; or indicators that require time-consuming gathering that creates frustration among teams. These discrepancies can be explained by a lack of long-term strategy and a lack of importance given to these indicators.

To rectify this, the existing system must be cleaned up and supplemented with performant indicators on a regular basis (methodology detailed in section 3.1) where the management of indicators itself is just as important as the other issues. Therefore, it must be monitored by a dedicated sponsor within the CISO’s governance team and by dedicated monitoring indicators (% of indicators defined with an approved calculation method, % of indicators that are fully automated, etc.). This central governance helps in finding compromises and minimising the number of indicators: about ten per perimeter/program is an order of magnitude that works well.

Increase team engagement to get more useable data?

It is not new: getting people to accept change and integrate new tools is always a tricky subject, especially for CISOs. The complexity of the environment, lack of dialogue between cyber teams and business lines, unsuitable tools, useless or unanalysed collected data, etc., represents numerous reasons that can explain a team’s lack of commitment. To address this, there are two principal areas to focus on:

1. Engage your employees in the indicator’s life cycle;
2. Facilitating the report of indicators with automation to minimize the workload.

Engage employees throughout the indicator’s life cycle

Team’s organizational complexity and local engagement are the first challenges that need to be addressed before deploying a dashboard: information gathering requires a dialogue between lines of business that are not used to work together (such as finance, IT risk management, strategy, program management, etc.). Involving your operational teams on a long-term basis is vital for a more reliable gathering and reporting process of indicators. More specifically, it allows you to:

• Define more realistic indicators, unlocking operational sticking points (unavailable data, communication problems, etc.);
• Define and develop operational needs more precisely: it is necessary to arise teams’ interest in the results of the project (i.e., ensure that their work has a tangible impact for them);
• Facilitate change management to get more reliable results overall, by understanding the purpose of the gathered indicators.

It is necessary to involve the employees from the beginning of the process, as well as maintaining the dynamic throughout the indicator’s operational maintenance. Transversal workshops should be organized throughout the process below, which will help in defining the indicators or generating questions.

Figure 2: Indicator life cycle and maintenance

Facilitate data gathering and reporting with automation and appropriate tools

While manual collection provides flexibility to experiment and test new indicators, (semi-)automated collection increases the team productivity and provides more reliable data.

It is not always profitable to automate everything, as it depends on the data nature, data volatility or data maintenance. One of the highlighted reasons can be because of the cost of automation (it takes a full year on average to automate gathering and reporting process). Therefore, scope of automation should be carefully determined.

To scale up and automate more indicators, the corporate data culture needs to be improved. To reduce the cost of automation, it is necessary to have organized, referenced, and standardised data. Four measures to achieve that are:

1. Define a corporate vision and objectives to control, reference and manage the data;
2. Define policies and rules supported by top management to regulate the use and standardisation of data;
3. Promote a data culture among business teams to reflect the way data is valued and used;
4. Equip ISS with tools to support the organization’s data policies and strategy (Master Data Management, Data catalogue, Data lineage, etc.).

To become data-driven, the blocking points does not require to be technological, but organizational, particularly in terms of skills and ability to accept changes.

As a result, automation makes data collection “more liveable” for employees and makes the indicator’s feedback more reliable over time.

Talking to your executives: the value of limiting the number of indicators

A well-constructed dashboard is an excellent way to address and involve the Executive Committee (COMEX), even though dashboards are under-exploited for their “marketing” side. In 2022, 25% of companies have never solicited their Executive Committee, and only 30% of the market involves them regularly.

The dashboard must be self-sufficient (i.e., must be understandable at first sight), able to carry impactful messages, since it is intended to be shared with as many people as possible. The Executive Committee solves problems, accepts, or rejects risks daily, monitors budgetary performance and operational efficiency, supervises of customer satisfaction and the company’s public image. To talk to the executive committee, the dashboard must bring out the necessary essentials required to respond specifically to the targeted issues. To do so, it is more useful to highlight specific methods and solutions rather than explaining in-depth, the causes of the technical problem (unless the need is clearly expressed).

The purpose of presenting to management the “ratio of cyber FTEs over IT FTEs per entity” or the “ratio of cyber budget over IT budget” (that can be two viable approaches) is to inform and make decisions on cybersecurity resources.

In short, the choice of indicators and their format must be adapted to the COMEX. To do so, they must:

• Be focused on potential business impacts;
• Be consistent over time to have a stable indicator base and facilitate appropriation and understanding;
• Have a self-supporting form to visualize the evolution of a trend and its deviation from the set target.

Conclusion

A dashboard is only a tool that should not be considered as an end itself. However, when properly configured and defined, it is certainly the best weapon for a CISO to make cyber governance more efficient.

To set up or update a dashboard, there are 4 success factors to remember:

1. Incremental: identifying sustainable indicators is difficult. Except for EXCOM dashboards, where an agile approach is necessary to integrate time for asking questions.
2. Inclusive: all teams must be involved to understand the purpose of gathered indicators (and the impact on their work). This will lead to increased reliability.
3. Scalable: the cyber ecosystem and its threats are growing exponentially. The designed dashboard needs to be flexible to consider the new risks that will arise (new KRI that needs to be implemented to the standard security base).
4. Simple: the purpose of a dashboard is to be shared. Therefore, it must be understandable at first sight. “Keep it simple” is necessary to simplify reading and accelerate appropriation.

Cet article Turn your dashboard into a real management asset against global cyber threats est apparu en premier sur RiskInsight.

For the past few years, companies have seen their cybersecurity budgets significantly increasing; according to the latest Gartner reports, they have increased by 51% since 2018. Chief Information Security Officers (CISOs) are now being asked to control cybersecurity costs and report to management as well as the regulator.  

However, this increase in corporate IT security budgets has not always been followed by prudent budgetary management in the past. Learning from that, companies are now launching initiatives to monitor and collect cybersecurity cost data to better understand their evolution and make better informed strategic decisions, improving security while optimizing resource allocation. However, setting up budget management is a complex process that must meet specific objectives.  

To what extent is the installation of a cybersecurity budget management system a key issue for the CISOs of large companies? – Our experience with our clients has proved that collecting cybersecurity budgets and implementing their management is often a valuable process and that reports resulting from such exercises are valuable governance tools. In this first section, we will examine the benefits of regular and industrialized cost collection and its true purposes.  

Effectively driving cybersecurity budgeting 

The final budget report is a strategically important governance tool key to achieving operational excellence and helps establish whether the company’s cybersecurity budget is being used effectively.  

Budgetary steering is also an integral component of budget management and allows us to verify that the investments are aligned with the main risks the company is facing. For example, a company might find that its investments in a NIST benchmark topic are particularly low. In addition, if audits show that the level of security is insufficient in this area, then the conclusion is clear: it is necessary to devote more resources to this area. Therefore, budget reports are one of the elements that better facilitate quantitative investment decision making. 

Example of a data visualization element from a budget report showing budgets by NIST activities. In this example, the chart highlights low investments in the “Identity and Access Management” area. If operational indicators show that the company’s maturity level is low, then it will be clear that the company has an incentive in making greater investments in this area.  

In addition, the Group level data is very useful to the group members when they are shared across the peer set. It offers them an internal benchmark that enables them to view their position relative to their peers. CISOs of the various corporate entities will therefore be able to exchange information directly with each other, share best cybersecurity practices and identify the best operational models implemented by their peers. 

Taking optimized decisions to achieve operation excellence 

Budget management helps identify opportunities for optimization at entity or group level in order improve cybersecurity effectiveness. 

The budget report is an asset for bettering the management of human resources dedicated to cybersecurity. For example, it makes it possible to estimate the ratio of internal labour resources to external resources and to make the necessary adjustments i.e., after reading the budget report, management could launch a labour internalization initiative if it realizes that the proportion of external staff is too high. It can also modify the geographical distribution of human resources in order to better meet the security requirements of corporate entities in different countries and to gauge the onshore/offshore distribution. 

Example of a data visualization element from a budget report showing the number of cybersecurity employees. In this example, the graph reveals a risk that the share of interns is too low to keep the expertise in-house. It might therefore be worthwhile to launch an insourcing plan.  

Consolidating the cybersecurity budget provides an opportunity to make savings, automate or mutualize activities. Budget management can then result in decisions to consolidate contracts as well as rationalize and/or automate processes in order to keep control of cybersecurity costs. 

Due diligence and externally conducted audit compliance 

When a company’s cyber budget is under scrutiny by regulatory authorities, it will be necessary to have a dedicated collection process to be able to provide a reliable breakdown of IT security costs.   Properly conducted budget collection will allow the creation of analytical data and deliverables that will serve as the basis for accurate and informed responses. For example, the European Central Bank has asked some banking organizations to present details of the human resources dedicated to IT security to monitor the preparedness of European banks for cybersecurity risks. 

Furthermore, a synthetic view facilitates communication with certainty on the state of budgets and expenses dedicated to security to any interested third party. For example, the American bank JP Morgan Chase explained in its April 2019 letter to shareholders that cybersecurity was one of its major concerns. The bank announced spending more than $600 million a year on IT security and employs 3,000 people in the area.  

Finally, knowing one’s budget is also important when purchasing cyber insurance, to prove the resources invested into cybersecurity. Furthermore, during a merger and acquisition, the resources invested in cybersecurity are often considered in the valuation of a corporate entity. 

Therefore, it seems particularly useful for large companies to have a process for collecting cybersecurity costs as it allows decision-makers to be aware of the amounts spent by the group on information systems security and to steer the strategy. However, the construction of a relevant budgetary report depends on the prior implementation of an extensive, methodical, and standardized data collection process.  The next part of this series will detail the framing and implementation of a budget steering process. 

Sources

[1] « Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019 », august 2018, https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019

[1] « Cybersecurity spending trends for 2022: Investing in the future », december 2021, https://www.csoonline.com/article/3645091/cybersecurity-spending-trends-for-2022-investing-in-the-future.html

[2] « Cybersecurity for the financial sector », https://www.ecb.europa.eu/paym/pol/shared/pdf/qa_cybersecurity.pdf

[2] « Face au risque de cyberattaque, la BCE demande aux banques d’être prêtes», february 2022, https://www.latribune.fr/entreprises-finance/banques-finance/banque/face-au-risque-de-cyberattaque-la-bce-demande-aux-banques-d-etre-pretes-903841.html

[3] « CEO Letter to shareholders », august 2019, https://www.jpmorganchase.com/content/dam/jpmc/jpmorgan-chase-and-co/investor-relations/documents/ceo-letter-to-shareholders-2018.pdf

Cet article THE CHALLENGE OF ORGANIZING THE BUDGETARY MANAGEMENT OF CYBERSECURITY IN YOUR COMPANY est apparu en premier sur RiskInsight.