The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
31 WWW.ILTANET.ORG Baldrige Cybersecurity Initiative: The Journey Toward Excellence in Information Security Management FEATURES Due to our historical emphasis on controls-based security messaging, executive decision-makers may continue to view cybersecurity as a moat that protects the castle. When the moat is crossed and the enemy has launched a sneak aack from within, exasperated principals shake their heads and wonder where their investment went. This has a direct impact on the credibility of the technology and security leaders, and it can quickly erode the trust and confidence we seek. To build our standing among the executives, we must shi focus to organizational performance and process maturity as the foundational metrics used to communicate how the cybersecurity function helps advance the firm's goals. The Right Metrics Communicate Value Those unmoved by the last assertion should ask their principals for feedback on what cybersecurity metrics they need and want in the current business environment. Decision-making at this level requires an understanding of cybersecurity's impact on the firm's reputation, operational efficiencies, innovation and speed-to-market. The reality today is that only a few law firm technology and security leaders define and track metrics that align to these business factors, and even fewer take advantage of opportunities to communicate this data to stakeholders. The result: executives make economic decisions based on a flawed model that regards cybersecurity as a finite problem rather than an ongoing process of incremental improvement. For some time, executives and board members across sectors have voiced frustration with their security leaders' controls-based messaging. Overall, two-thirds of executives have lile or no confidence in their organizations' ability to prevent cybersecurity breaches, according to an NYSE Governance Services/Veracode report entitled Cybersecurity in the Boardroom. This same report also finds that 64 percent of executive-level respondents want today's security leaders to focus on strategy and the role of risk when communicating. Technology and security leaders should note these striking figures, as they appear to correlate with the level of trust and confidence that principals have in our ability to manage an effective cybersecurity program. As law firm technology and information security leaders, our executive teams regularly challenge us to defend investments in the tools, processes and people (collectively, "controls") dedicated to safeguarding our firms' information assets. In response, we may use common methods (such as controls assessments or audits) to measure and communicate the effectiveness of the controls we have in place. Controls assessments and audits are essential tools for the operationally- focused security leader. When communicated to senior stakeholders, however, these controls-based metrics oen fail to translate into the language of business value. Business Value of Security In today's digital economy, law firm principals need clarity when it comes to cybersecurity. As technology and security leaders, we need to communicate in a manner that improves, not muddles, decision-making at the executive level. To do so we must adopt new strategies for demonstrating that the security function and its corresponding controls add value by offering meaningful metrics squarely focused on the firm's values and objectives. Though information security leaders may manage cybersecurity with controls, we must take conscious steps not to use controls as our metric for communicating program effectiveness. To take this leap, we must first acknowledge the shortcomings of the controls-based methods used to measure, prioritize and communicate program effectiveness. This boom up approach to denote cybersecurity effectiveness may contribute to the problem. As technology and security leaders communicate progress towards goals using data from the boom-up, we are oen inclined to report on the trees, when the principals want to know about the forest. In what way does a control contribute to the firm's earnings and sustainable growth? We oen get the answer wrong, because we focus on the controls themselves and not on the business objectives driving the need for controls. Our executive leaders need business-focused data to help ensure that investments in security will produce the returns they expect. But it is mismatched expectations that can get the security leader in trouble. ADAM STONE Adam Stone is Principal Consultant and Chief Privacy Officer for Secure Digital Solutions. He has over 27 years' business leadership experience, with 17+ years overseeing data privacy and security functions for healthcare, insurance, financial services and marketing organizations. Contact him at astone@trustsds.com. Our executive leaders need business-focused data to help ensure that investments in security will produce the returns they expect.