Expectations Meet Reality: The Case for Cybersecurity Performance Management
Sivan Tehila, co-authored by Yosef Adatto
The expectation for security leadership today is to have the ability to see the future, like in the 2002 film movie “Minority Report,” where precognition technology could alert law enforcement before a crime takes place. Knowing what attack vectors hackers will take is incredibly challenging in the security world, meaning leaders are expected to be prepared for the unexpected. While precognition tech may never come, the expectations for security leadership are real and demanding. Fortunately, processes like Cybersecurity Performance Management (CPM) can be implemented to aid and guide leadership.
What is Cybersecurity Performance Management?
Before understanding CPM, we must look back and see how we got here. A recent CISO survey conducted by Marin Hawk, an executive search firm, shows that CISOs are under tremendous stress, manifesting in high turnover. This well-known fact is backed up by the numbers seeing that “45% of global CISOs have been in their current role for two years or less” and finding that CISOs typically “get overwhelmed within months.” You might ask yourself, "why?" and the answer is, "it's complicated." The average company undergoes a cyber attack every 2 seconds; cybersecurity leaders and teams typically need over 50 types of security products just to defend their company’s environment. The burden often falls to the CISO to protect the company’s perimeter and mitigate these threats - often with limited resources available.
On top of that, CISOs are also responsible for demonstrating and communicating value back to the business. CISOs, despite popular belief, cannot predict the future, even though that would be super helpful. However, they can plan for it. Let’s dive deeper.
The meat and potatoes:
Now that we have some background context as to the driving need for a CPM, let us examine precisely what it is, and later on, we can dig into what it aims to do. There are two nonsequential but connected areas to consider:
Cybersecurity performance management (CPM) evaluates an organization's strategic security objectives using a comprehensive, top-level risk approach that monitors cybersecurity performance indicators (CPIs), team member performance, compliance, maturity, and ROI. It provides a centralized view using available tools, reducing their signal-to-noise ratio and allowing valuable insights to surface. CPM guides how to use information collected from continuous monitoring to inform risk management decisions and improve the overall security posture of an organization.
The second area is focused on helping organizations demonstrate a business outcome-driven approach. Communicating the business case to senior management is becoming increasingly more challenging, demanding a process that effectively addresses the current drivers and obstacles that will impact the business. The Gartner Hype Cycle for Cyber Risk Management 2022 states that CPM “fosters continuous improvement over time against agreed business outcomes,” strengthening business resilience - adapting to organizational changes, digital transformation, and threats.
Why is Cybersecurity Performance Management important?
In a nutshell, the importance of CPM is to measure the performance and improvement of a cybersecurity program over time. The key is to have an approach that effectively addresses the drivers and obstacles security programs face while utilizing a method that effectively communicates the objectives of the security program and the impact that will have on the business.
So, what are the main drivers?
The demand from the board and regulators for better, consistent, and ongoing reporting on the effectiveness of the cybersecurity program.
Demonstrating ROI for internal stakeholders and executives with a focus on cost optimization.
Coping with external pressures that challenge the flexibility of security programs.
What are the main obstacles?
Lack of guidance on how to address performance and delivery.
Accurately measuring performance levels, differentiating them from trailing metrics.
Deciding which supportive toolsets are best equipped for cybersecurity performance management.
Businesses heavily invest in security tools and need a streamlined demonstration of ROI. Implementing a CPM approach can aid in defining goals and pinpointing gaps. Supportive toolsets built from the ground up with performance management in mind will address the main drivers and prioritize overcoming obstacles that prevent security programs from maximizing value.
CPM: Where’s the value?
While Cybersecurity Performance Management technology may not include full precognition capabilities (yet), it can help alleviate strategic security challenges and the stress CISOs continuously face. Not only does CPM measure the performance and improvement of a cybersecurity program over time, but it also allows CISOs and security leaders to communicate the needs and business impact of the security program through a common language that prioritizes investments by facilitating informed conversations with executives. In a giant nutshell, CPM continually assesses the current state of an organization's security program and guides it in the right direction for where it needs to be in the future.
Sources:
Gartner, Hype Cycle for Cyber Risk Management, 2022 Published 27 July 2022 - ID G00770123