Attention CISOs: The Board Doesn’t Care About Buzzwords

Originally published by Lookout here.

Written by Paul Simmonds, Global Identity Foundation.

We live in an IT world surrounded by buzzwords that are largely marketing gimmicks. Zero Trust, for example, is a concept no one actually understands and is slapped onto everything, including derivatives like Zero Trust networks (ZTN) and Zero Trust network access (ZTNA). Then there’s Secure Access Service Edge (SASE), Security Service Edge (SSE) and everything that falls under these frameworks such as Cloud Access Security Broker (CASB), Secure Web Gateway (SWG).

If you’ve ever presented to a board of directors, then you’ll know that they don’t care about any of this. The only time the board encounters any industry jargon is when they read about it in the Financial Times or Wall Street Journal. I was asked about a buzzword once in my career and it was in 1999: “OK, Paul, what are we doing about Y2K?”

I know we think all this tech stuff is very important, but when it comes to funding, the security function is under the same constraint as every other business unit. So the question you need to answer is simple: what is this security solution going to deliver to the business to make it more profitable?

Security is the same as any other business unit

For any part of the business to get board approval, the formula goes like this: I want to spend X-amount of dollars to make Y-amount of revenue or profit with a probability of Z percent. If Y times Z is significantly greater than X, then the board will approve — that is, once they have grilled you and concur with all your assumptions!

With security, most of our costs are “below the line,” a.k.a. the “cost of doing business.” But the strategy to get approval is the same. We want to spend X-amount of dollars to save the organization from Y-amount of dollars in exposure with a Z percent chance of it happening.

Accepting risk is not acceptable

The difference between this and other business expenditure is that risk is more complex and has four major outcomes.

• Eliminated: risk is designed out of your infrastructure
• Mitigated: risk is compensated by additional controls
• Transferred: another party takes on the risk, such as with insurance
• Accepted: risk remains as a cost of doing business

Oftentimes, risk is simply accepted — especially when the board doesn’t recognize the problem or agree with your analysis. The uphill battle for us is that security risk and the probability of something happening is hard to quantify and therefore deemed subjective.

Position security as an enabler

Occasionally, security is seen as an enabler. I’d argue that cloud and Zero Trust, when done properly, falls into this category; and here we are talking about three key themes:

• Faster
• Cheaper
• Reduced friction, particularly around collaboration

When I was a global CISO in big pharma, the industry-wide figure for developing a blockbuster drug was $150 per minute for the 10 years it takes to bring it to market. So, if, for example, I can deliver a new system using cloud technology in one month, versus three months using traditional methods, it’s a potential $20 million saving in development time.

Consider all angles before presenting

Crises notwithstanding, as a CISO, I only get a few shots at getting my security project to the board. Thus, I need to be really convinced in the problem and concept, as well as the numbers I’m presenting. Also, I need to be certain that I have key stakeholders on my side and ready to support me. After all, it’s my time and reputation on the line!

Here two key areas to consider when preparing your pitch to the board:

Know your total cost of ownership (TCO)

Hidden costs can kill your TCO and return on investment (ROI) calculations. Even if the product costs nothing to purchase, there are other expenditures to consider.

What will it cost to onboard and test? For example, if I have 88,000 devices and it takes me $50 to configure each of them, my rollout is in excess of $4.5 million. This doesn’t factor in any additional costs of buying or dedicating hardware (physical or virtual), assigning a project manager, training staff or engaging external consultants. All this also takes time, which will cost you money.

What will it cost to operate? Understand the expenses surrounding operations. With any security solutions, you typically need 24x7 coverage. So a tool that requires one person to run at any given time will net out to be a five-headcount team with a cost of $500,000 per year.

Demonstrate compatibility with existing processes

A key component of convincing the board is to illustrate how it reduces friction in operations. And for times when something doesn’t work out, make sure you have a pass-or-fail criteria and a back-out plan.

Does it integrate with what you already own? To go back to the TCO conversation above, disparate, standalone systems require separate teams and expertise to manage. It also creates cracks in processes and coverage for the bad guys to slip through.

Will it deliver security by default? To customize anything requires time and resources. That’s why the best solutions are simple, consistent, reduce friction for users and are cheap and simple to operate.

Raise the conversation above the buzzwords

I’m going to argue that the concept described by SSE raises the discussion above Zero Trust and the access abilities of SWG, ZTNA and CASB. At the end of the day, your job is to secure your organization’s data in all the disparate environments we now use to conduct business — whether it's on premises or in the cloud.

SSE describes the convergence of security solutions and enabling IT and security teams to consistently provide data security for web, cloud and private applications. Now that will get people's attention. But whether it addresses the requirements I outlined above and makes it to the board — that remains to be seen.