Is the security conversation getting lost in translation?

Amanda Kamin at the UK’s Digital Catapult argues for the importance of speaking the language of business when discussing cyber security

Digital security teams and management often fail at communicating at board level; struggling to convert technical conversation into one the business understands.

The security message gets lost in translation. This might stem from lack of awareness or credibility on either side; many in business have never been effectively shown the value of good security as part of the business model. Key performance indicators (KPIs) are the kind of quantifiable value indicators that businesses understand. This is the language of business.

So, what are the core KPIs that will provide an effective appraisal of security measures for business leaders? These can be summed up as the three R’s: reputation, risk, and reward.

Reputation

It’s easy to talk about the impact of a security incident, be that a data breach, ransomware, or some other denial of service attack, being limited to the direct financial losses. But there’s a bigger conversation to be had than regulatory penalties, downtime revenue losses, or even the rights and wrongs of ransom payments. That conversation revolves around reputation.

As a KPI, preventing long-lasting reputational damage is hard to ignore. Damage control in the immediate aftermath of an incident can be attributed a budgeted cost for patching the vulnerabilities, getting things running securely again and investigations to prevent reoccurrences.

Reputational damage is much harder to budget for and can be hugely damaging to the bottom line as competitors suck up disgruntled customers and partners or clients leave. Conveying this negative impact to business leaders is essential when it comes to calculating the cost of a breach: if you lose data, you lose trust and customers.

Equally, security teams should endeavour to highlight the positive impacts to reputation when security is prioritised. Consider Apple: they are the epitome of an organisation that has transformed security into a competitive advantage. When consumers are in the market for a new phone, laptop, or desktop, one of Apple’s primary draws is its reputation for being a secure product.

According to one survey, 79% of Mac users admitted that its perceived security reputation had influenced their decision over purchasing. Businesses need to recognise the opportunity here.

Risk

Communicating the benefits of decreasing reputational risk requires an understanding of the relationship between security risk and business risk. Aligning the case for security with the needs and risks of the business is not optional. This means looking beyond regulatory compliance checkbox ticking and understanding how the risk appetite of the business sits with the security requirements.

There is no one-size-fits-all security plan as there are too many variables between business sectors and the organizations within them. This must be a bespoke fit and that means a bespoke business conversation as well.

What isn’t helpful is taking the all too familiar Fear, Uncertainty, and Doubt (FUD) approach. Starting conversations with scare stories about incidents, will likely lead the Board to respond with ’why do we need to invest now as we’ve survived just fine for the last decade?’

Reward

Your business proposal must show it understands the needs of the business with enough specificity to allow for risk versus cost versus probability analysis to be achievable. This combines the cost of a breach with the probability of the threats to the organisation that you have identified happening over a given period, with the investment required to combat them and so enables a meaningful ROI to be calculated; or in cyber security, the return on security investment (ROSI).

Understanding the importance of the ROSI is key to business leader conversations. The SANS Institute published the definitive ROSI calculating methodology 20 years ago, [www.sans.org/white-papers/849/] — it remains relevant today.

This states that the annualized loss expectancy (the likely loss from a single security incident multiplied by the potential yearly occurrence) times a mitigation ratio (an estimate of the percentage by which risk can be mitigated by implementing the security plan) minus the cost of the solution then divided by that cost of the solution, is the ROSI.

One of the best ways of achieving a high ROSI is to advocate for, and implement, security into the foundations of your company, product, service, or all three. Incorporating security from the beginning, into product and company digital infrastructure, works out to be much more cost-effective. Adding the more secure software or architecture from the get-go will have initial upfront costs in financial and implementation resource but can save hundreds of thousands to millions in the long run.

The UK Research and Innovation (UKRI) seeks to support this approach for industry and bring about a fundamental shift in the way computer systems are protected from cyber-attacks; in terms of mindset and technology. UKRI’s Digital Security by Design Challenge (DSbD) was created to deliver a step-change in computer system design — the software, hardware and architecture development.

Currently, many organisations apply security mitigations or perform security checks at the end of the development cycle, which generally leads to two outcomes, neither of which are sustainable:

• Security teams are left constantly patching vulnerabilities as ongoing, temporary fixes
• They witness an overhaul of the project as it’s near completion due to exposed vulnerabilities.

This is a cycle that must be broken. It’s time that we build systems and products that block vulnerabilities by design, and much earlier in the development process.

Framing bids for more business investment around boardroom positions (CEO wants market value, CFO wants more revenue, CMO wants increased sales) is paramount to show how security spending adds value to the business, rather than another expense competing for financial attention.

Demonstrating how one’s reputation, competitive standing and ROSI stand to benefit from investment in cyber security, particularly, when incorporated from the start of development, rather than the traditional, end-of-process, are pivotal to the change we need to see in corporate security culture.

Speaking the language of business is more than just security semantics. With cyber attacks on a continuing upwards curve, it’s vital to the future of the business itself.

Amanda Kamin is CMCO at Digital Catapult

Main image courtesy of iStockPhoto.com

This article was originally published in teiss.co.uk