10 markers of a great cybersecurity program

CISOs have multiple ways of quantifying the work they do, from counting the number of threats thwarted to the number of patches performed. Some of those metrics speak to the volume of work being performed, while others – such as mean time to detect and mean time to respond – offer insights into the effectiveness of the department’s people, processes and technology.

Although important, some security experts say they turn to other indicators to determine the overall strength of their cybersecurity department. They go beyond any single snapshot of how the security team is performing in a particular area and speak instead to overall performance within the enterprise.

Here, CISOs and security advisers share what they consider signs of a great cybersecurity program.

Unsolicited praise

Veteran security leader Mary Gardner considers unsolicited praise for security-related projects, particularly those that were initially met with resistance, a sincere recognition that the business values the security department’s efforts.

Gardner, now CISO at F5 Networks, had led a multifactor authentication initiative at a healthcare organization, where clinicians at first resisted the security measure because they feared it would slow down access to applications. But she and her security team met with workers and assured them that the initiative would deliver benefits. More importantly, the new security measure did just that. And when clinicians realized that multifactor authentication provided faster login than the prior process and allowed them mobile access to more applications, they volunteered their praise. “I prefer that spontaneous feedback because that means we did something so well they felt the need to comment on it,” Gardner explains.

Help covering security costs

The security team’s own budget will cover much of the security spend, particularly for core items like the firewall solution and the antivirus software. But security teams often advocate for additional investments tied to specific business initiatives only to find that their business colleagues balk at adding — let alone paying for — those extra security layers. Yet John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity training organization, says he has seen security teams effectively work with their business colleagues to demonstrate how security measures can enable their goals so much so that the business unit picks up the tab.

For example, Pescatore says he has seen a marketing department pay for a recommended social media security solution and DevOps teams cover the cost of adding security tools into the early part of the development process because they understand that shortens the development cycle. “When you see organizations make these steps forward, that’s a sign of an advanced security program,” he adds. “A security team is successful when they’re in demand and the business is willing to pay for the security measures; it means they see the benefit of them.”

Proof of efficiency

CISOs are accustomed to collecting and presenting metrics such as mean time to detect as a way to measure the security department’s effectiveness, but Pescatore says strong security programs are starting to measure efficiency as well. He says such metrics are modeled after the ones used by CIOs to quantify the efficiency of the IT team, such as IT spending as a percentage of organizational revenue.

“Good CIOs had to learn to do this,” Pescatore says, adding that he’s seeing security use measures such as SOC headcount per node, security headcount as a percentage of IT headcount, and average time to approve a security-related request as measures of efficiency. “The key is to get both more effective and more efficient,” he explains. He says CISOs can look at improvements in such measures as an indication that security is doing a good job in enabling the business to move as fast as needed.

Requests for advice

CISOs say they want to be viewed as trusted business partners, but Gardner knows she’s hitting that mark when her colleagues approach her or her team members for advice. She points to an exchange at one of her previous employers as case in point: The developers there were troubled by the login mechanism on an application they were developing and turned to the security team for advice. “If they see something that’s off and reach out to us to ask about it, that means they know who we are and they feel comfortable coming to us,” she says. “They have trust in us, and they look to us to help them.”

Good relationships with board members, other executives

Similarly, Gardner sees a positive relationship with board members and other executives as an indicator of a strong security program. “When you’re talking with the board and board members and the executive staff on a regular basis it means you’re looked at as a trusted advisor,” she says.

In such circumstances, the CISO is doing more than just briefing the others; the CISO is bringing his or her perspectives, offering advice and helping craft strategy. “That goes for anyone in my organization, not necessarily just the CISO. When leadership knows who my team is, when they recognize the team, the more I know that I’m nailing it,” Gardner adds.

High marks on maturity measures

Security leaders say scoring well against established security frameworks, such as the one from NIST and the ISO/IEC 27001 IS standard, are signs of established, mature programs. Caleb Sima agrees. Sima, vice president of security at Databricks, developed a maturity model for his security function using industry standards including the NIST matrix. He built a grid to determine how mature his company’s security program is and to track its improvements over time. “[I can say,] ‘Here’s where we are; here’s where we want to be in a year. This is how we identify if we have a good security structure and whether we are making progress,” he says, noting that it helps him show not only his staff but the company executives and other employees how security is doing. “It’s a very tactical, technology-driven approach.”

Reports of positive user experience

Sima says another marker of a successful security program is how well it meets user expectations and whether it provides a positive user experience. He surveys company employees to determine whether his security team is doing a good job, using three surveys for three different sets of users (product engineers, IT and the rest of the workforce). “If we’re maturing our program and at the same time we have the right relationship feedback, those are then good indicators of a good program,” he says.

Third-party approvals

The stamp of approval from outside agencies remains an important measure of success, says Matthew Ferrante, practice leader for cyber and information security services at Withum, a tech service provider. “You need a truly independent audit with a third-party firm, and that firm needs to be appropriately selected,” he says, adding that the CISO should avoid those that provide “friendly results” and instead go with only those offering a rigorous examination of security policies, processes, procedures and technologies.

“Getting a third-party view helps show that your security is aligned correctly and that it’s working correctly,” he says. Similarly, Bruce Beam, CIO at the security organization (ISC)², says he seeks out certain certifications such as the PCI DDS that indicate a third-party has reviewed – and approved of – the job that the security team is doing. He also looks for those certifications in the companies with whom he’s doing business before allowing them to connect to his organization’s network.

A positive ROI

Michael Coden, managing director and global leader for the cybersecurity practice at BCG Platinion, part of Boston Consulting Group, says security teams who can measure and demonstrate a positive return on investment demonstrate that they have a strong enterprise program in place. He says an organization should see its risk decrease by a higher amount than the amount it’s investing in security technologies, processes, procedures and training. “So if we spend $10 million implementing multifactor authentication or implementing a new training program and our risk is reduced by $1 billion, that’s a pretty good ROI,” he says, explaining that his firm uses an automated tool called Cyber Doppler to quantify risk that can then be used to calculate ROI.

A pervasive security mindset

Once, while leading a security team at a prior employer, Beam wanted to reward several staffers for doing a great job. He sent them each a $50 electronic gift card. But the staffers refused to click on the link, thinking it was a phishing attempt. In some ways, Beam says he shouldn’t be surprised by their response, as it indicates that the company has a strong security culture. He says that’s what he wants to see: security tightly woven into the corporate culture so that workers throughout all departments have a security-first mindset.