Home » Security Leadership » Metrics/Budgets

New Security Leadership: The Basics

Maintaining the right level of boardroom and employee security awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. CSO looks at what's Out and what's In.

CSO — September 11 profoundly changed the public perception of national security; the Enron accounting scandal and a rash of similar scams alerted us to widespread deficiencies in corporate governance, accountability and ethics. But every security leader knows that as time passes after any incident - no matter how demonstrative - corporate concern for the issues brought to light by that incident tends to wane.

Maintaining the right level of boardroom and employee awareness (and therefore, frankly, security budget) is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. Below, CSO looks at what's Out and what's In.

OUT: FUD

FUD stands for fear, uncertainty and doubt, and it's long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road.

In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team's credibility. "That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence," says Jim Mecsics, vice president of corporate security for Equifax. "But when you approach corporate officers with the tactics of fear, you're walking into a trap. Somebody will eventually say, 'OK, show me where the real [emergency] is,' and then your credibility is shot." FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven't learned how to make a data-driven risk management argument. A CSO who doesn't stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents' arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization's management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group's use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. "They got worked into such a frenzy that it was like a runaway train," says Mecsics.

FUD also wastes money by not spending it well. When CSOs buy and implement a security initiative based on fear, they'll have a much harder time managing and assessing it based on merit and actual results.

(To learn more, read "The FUD Factor" by Daintry Duffy.)

IN: Metrics and ROSI

Like it or not, the corporation is generally managed by the numbers.

Eventually, security will be almost completely metrics-driven. A reliance on metrics is, after all, the mark of a mature corporate function. Most security executives already need to develop, cull and otherwise employ risk analysis metrics and benchmarks. And experts say those leaders should devote considerably more financial resources to developing benchmarks than they do already.

"The ISO is going to the CEO saying there's a chance something bad, and possibly something embarrassing, could happen," says Alan Paller, director of research at SANS Institute. "But how much of a chance, the ISO doesn't know. And if he spends this kind of money, he can reduce the risk, but by how much he doesn't know. There is simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. The CEO doesn't want it, and eventually he won't take it."

So forget FUD, and start learning how to demonstrate the value of your ideas using metrics and, especially, ROSI (return on security investments). This is an approach that infosecurity pros have been slow to adopt, although it is clearly valuable. Economist Frank Bernhard's research, for example, shows about six cents of every revenue dollar is at risk because of a lack of information security, but many companies spend barely a dime of their IT dollar on security.

"I'm not sure why IT tends to disregard these tools," says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. "It's a bit frustrating to keep hearing that you can't do it accurately. That is not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CSOs] have an opportunity to make a major contribution in their organization if they have the willingness to learn this."

ROSI is rarely easy. It requires legwork, and lots of it. As you begin, it's helpful to keep in mind that precise measurements are not necessarily the goal. "This is a classic problem that technologists have," says Kevin Soo Hoo, a researcher at the security consultancy @Stake. "They don't understand that you can make rough guesses to work out a problem. We dive into an ROSI study, and the engineers are focused on the minutiae and want to argue for days whether some variable should be .6 or .55. It doesn't matter."

With ROSI, as with all risk assessment, the goal is accuracy, which is not at all the same thing as precision. The point is to provide a set of guiding principles from which you, your CEO and CFO can make more informed decisions about what's acceptable. In other words, the CEO doesn't (or shouldn't) care if a return is precisely $3.13 for every $1 spent or $2.97. He cares that it's accurate to suggest about a 3-to-1 return, and not a 1-to-1 return or, worse, a 1-to-3 return.

(For a more complete explanation, plus formulas and sample ROSI calculations, see "Calculated Risk," by Scott Berinato.)