Lack of Metrics is a Problem for Modern CISOs

Written by

A lack of real world experience and metrics in order to aid security professionals is harming communication and capabilities.

Speaking at the launch of the book Navigating the Digital Age, produced by Palo Alto Networks and Forbes, Joel Harrison, partner at law firm Milbank, Tweed, Hadley & McCloy LLP, said that there are often skilled people, but not enough experience of how to deal with ‘real life’ experiences.

He said: “Most of the clients we deal with are pretty sophisticated, but we do see cases where people do not have enough experience of what it is actually like dealing with this on the ground. So they may have theoretical knowledge of what the privacy law is but putting it into practice in an actual security breach , that’s where we tend to find that the gap exists.

“So they can recite what the principles under the Data Protection Act are, but being able to translate that into what you actually have to do in the case of a breach or regulatory enforcement and that sort of experience, you often find that organizations say they are lacking and that's where they are trying to ‘skill up’.

Harrison said that in the case of a breach, you need to treat it like disaster recovery and you cannot have a credible strategy unless you test it once a year. “One thing that is consistent is that trying to make up a response plan as you go along is virtually impossible,” he added.

“People try to map the data that they have got on the fly, and try to reconstruct on the fly, and that is practically impossible to do reliably, so that is why we encourage mapping your data in advance, so if there is an incident you can say to the regulator what you had done.”

Palo Alto Networks CSO Greg Day said that the intention of the book was creating an understanding of responsibilities by distilling duties down, and highlight what are some of the things you can ask to go beyond the yes/no instance that you get from your team.

“If you’re not going through your own fire drills, then actually you’re not going to be in a place that you think you are,” he said.

Day focused on a chapter in the book written by Alan Jenkins, associate partner at IBM Security, which focused on metrics and an understanding of what indicators are leading and lagging. Citing a conversation with a CFO, who said that a typical conversation on cybersecurity related to an 'end of the world situation' and a cost, and he didn’t feel like he had a choice “as I don’t feel that I understand so I feel I need to spend the money, but my guy is telling me that this is not the right thing to do.”

Day said that the challenge is ‘frustration’ to make decisions, but not make informed decisions. “I’ve met with board members before and had an honest discussion and then I’ve met with the CISO a few weeks later and they say ‘my board talk to you, but when I try and talk to them a week later they won’t talk to me’.

“I’ve heard terms like ‘Bamboozle’ and ‘technobabble’ and regulation is forcing the conversation higher and businesses have an inherent dependency on technology to break the loggerhead and figure out how to have a dialogue.”

This is the sixth edition of the book, and the first for the UK, and is available for download via PDF and in a Kindle version. It is intended for business leaders to consider how they can build strategies and systems fit for current and future challenges, Palo Alto Networks claimed. It will help start necessary discussions and determine the next steps towards preventing data breaches and maintaining trust in the digital age.

What’s hot on Infosecurity Magazine?