Security data can drive larger decisions about where an organization’s biggest business risks lie and how to best mitigate them. But two interwoven challenges prevent companies from drawing out that value: First, security teams are too overwhelmed by their data to analyze and use it effectively. Second, security leaders cannot translate that data and what it means to other executives and the board of directors.
With no way to efficiently analyze troves of data and alerts, security teams can’t effectively communicate to the business what the major risks are, where gaps in protection may exist and how to strengthen the overall security posture. The consequences of this are dangerous: If business leaders don’t take security risks seriously, it could impact investments in everything from brand building to business transformation and merger and acquisition activity. Alternatively, communicating the wrong data could lead to a false sense of security that leaves the organization at risk.
Security pros have to turn security data into meaningful insights that the C-suite understands. Doing so requires they gain a holistic view into security environments, identify the most actionable data and communicate metrics with enough context to inform major decisions. Here are five practical steps that can help guide security pros.
1. Make sure tools are deployed properly.
Before security leaders can glean business value from their data, they must make sure they’re getting the right data from the right sources. Too many alerts and metrics from too many tools can overwhelm analysts. Security teams should conduct a thoughtful analysis of every tool in their arsenal and evaluate whether it’s used as intended. Each security tool must have a dedicated person or team with the bandwidth to implement it correctly, as well as monitor, maintain and measure how it’s contributing to the overall security program. Without this, the data gained from that tool won’t offer any value. From there, identify where capabilities overlap — duplicate alerts can significantly contribute to data overload — and where gaps may exist that the organization needs to prioritize.
2. Separate critical data from the noise.
Once an organization’s tools are used effectively, teams can focus their efforts on analyzing only the most important data. Measuring the wrong metrics can cause great harm. For example, companies often pay attention to everything that has been blocked by a firewall in a given timeframe. This doesn’t lead to actionable insights and can overwhelm analysts.
Companies also focus on reporting to the board on how quickly the security team responds to each threat. Focus on the metrics that matter most to the business. This includes data around sales platforms or customer service channels, or how much of an organization’s technology environment the security program can see. If you can’t see it, you can’t protect it.
3. Identify the unknown and fill the gaps with benchmarks.
Security leaders need to articulate potential risk to the business in a way that board members understand. That risk consists of both known and unknown threats. Companies can’t properly defend against unknown threats. That’s why it’s essential to identify the risks you can and cannot see.
A strong security program will benchmark against what’s seen by similar organizations and in the industry. For example, healthcare and hospitality companies currently experience a relatively high number of ransomware attacks, while tech companies face a growing number of insider threats. Compare how the organization’s security program maps against those known threats — which attacks can you identify and respond to? Which might go undetected?
Take that strategy even further by comparing against resources like the MITRE ATT&CK Framework, which compiles and categorizes hundreds of known techniques that attackers use so that enterprises can determine the exploits they are best prepared to defend against. This information will deliver the kind of context that will transform security data from abstract metrics to a language that leadership understands.
4. Close the language gap with context.
All of these steps — assessing current tools, focusing on actionable data and benchmarking against known threats — help security leaders cut through data overload to communicate only the most important metrics to the board. Such an effective strategy will report on the seen and unseen risks and what the organization will do to close that gap. This will help make important decisions as to where to focus the security program’s time and money and will accurately communicate risk to the board.
Without this important context, leaders like CEOs, CFOs and COOs will not understand how the security team enables the business and will not support the security efforts that are critical to ensuring the enterprise continues to move forward.
5. Validate that your security controls work as expected.
Each of these steps should inform how a security team collects and communicates data, and how that data informs the larger strategy now and in the future. Once the most effective metrics are identified, use them to shed light on where gaps in protection exist. Dedicate resources to closing this gap. From there, continuous testing with tools like attack simulations can ensure the most effective tools and metrics receive priority. It’s also important to determine guidelines for maintaining, updating and patching security tools to prevent gaps or data overload problems from resurfacing. Just like a car needs maintenance, security posture suffers from wear and tear. It can decay over time without the proper upkeep.
Security data has great potential value. However, if used in the wrong way or reported ineffectively it can overwhelm a team, lead to miscommunication and create protection gaps. As businesses tighten their budgets in the wake of economic uncertainty, it’s important to validate a security investment and use limited resources wisely. By analyzing how tools are used and maintained, tracking only the most valuable metrics for your organization and reporting to the board of directors using the right context, companies can make the most of their security spend and make informed decisions about future investment.
Brian Philip Murphy, chief architect, ReliaQuest