Implications for CEOs who miss security targets [Q&A]
Increasingly IT security is seen as an issue for the entire organization. This means it's often included in business targets, but setting these in a meaningful way -- and being able to meet them -- is a major challenge .
We spoke to Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic, to find out more about the difficulties of setting and measuring the success of targets for security.
BN: Why are companies failing to set their IT security teams meaningful business targets?
JC: One of the main reasons behind this is that there is a disconnect between the C-suite and the IT security team. A lack of effective communication between the two can often result in security targets that are based on KPIs that have little relation to business objectives.
As such, those sitting on the board can view IT security as something they are obliged to do rather than as a business tool that can help improve several areas, including processes, profitability and competitiveness. Indeed, a Thycotic survey of 550 IT decision makers shows that a quarter (26 percent) report that IT security is not prioritized or invested in by their boards as strategically important.
Further, more than half (52 percent) of IT security decision makers say their organizations struggle to align business goals and security initiatives. Four out of 10 (43 percent) say their business's goals are not communicated with them and a third (36 percent) admit that they aren’t clear on what the business goals even are.
This often means that IT security look at historical achievements to demonstrate their value, such as the number of patches installed, or malware detected in the previous quarter or year appearing to be very reactive to the business. As such, IT security teams fail to make a positive impact on the C-suite. This can have implications for investment into cyber defenses and the necessary cooperation of peers within the company, both of which can put an organization at risk.
One further indicator of how relevant IT decision makers view their current board-set targets is that only four out of ten respondents (40 percent) viewed meeting these goals as a definition of success.
BN: How do security teams rate meeting the board's performance targets compared to other success measures?
JC: Our survey research showed that IT decision makers had a number of different criteria for what success looks like. Meeting board performance targets and being valued by the rest of the company were the top indicators of success, closely followed by meeting compliance demands.
Many IT decision makers appear to view avoiding disaster as a mark of success. For instance, 37 percent said preventing their organization from being the next 'cyber security incident' headline was a triumph, while a similar amount (36 percent) believed it was keeping things running smoothly. Just over a quarter (27 percent) pointed to not having any security incidents and, somewhat disappointingly, 16 percent said they had achieved something if they managed to keep their job.
BN: What are the main implications for C-suite executives when targets are missed?
JC: As with any job there are often consequences to be faced for missing targets. Six out of 10 respondents to our survey (61 percent) said that their CEO is likely to pay the price for IT security teams failing to meet expectations. Negative outcomes for the head of the business having to face shareholders or having to take a hit to their bonuses. In the most serious of failures this might even lead to sacking.
Where missing targets results in security failures that cause a very serious breach a CEO is likely to be the first for the chopping block or find it difficult to recover. Take for instance the massive TalkTalk breach of 2015, which cost the company some £35 million, putting a cloud over CEO, Dido Harding, who left the role 18 months later. In 2017 Equifax saw the CEO, CIO and CSO all leave the company within months after a major data breach that has cost the company more than $1 billion USD.
BN: What steps can CEOs take to set targets that correlate with overall business performance?
JC: The first step a CEO can take to better align the objectives of the IT security team and the business as a whole is to create a company wide cyber security awareness and culture. This starts with either training up or employing a CISO who is able to communicate security issues to the board in business-focused language. For example, they should be able to clearly demonstrate the impact certain security issues and outcomes would have on the rest of the business. It is critical to focus on the people and the business to be a successful CISO.
From there, cyber ambassadors should be appointed who are likewise able to communicate complex technical issues clearly and succinctly to non-experts. In this way the IT security team will be able to gain the cooperation of other departments to find out how it can help them meet their objectives. This also has the added advantage of conscripting staff to act as an early warning system against potential threats before they escalate and become an issue for the C-suite.
Armed with this information a CEO should then look to set proactive targets that are closely aligned to the aims of their business for the coming year or quarter. By having security and business targets that are more in sync with each other, organizations can ensure that their IT security teams are not only providing a robust defense against cyber threats, but also helping to contribute to wider business goals.