Dr Cole's point is that if IT security is communicated on the basis of the number of vulnerability scans performed, or number of patches installed, CISOs will find themselves little influence. "I do a lot of work with senior executives and they really could care less about patches; they don't even know what they are!" Furthermore, without a clear understandable metric, executives are left with questions such as whether the absence of a cyber-attack means that the head of IT security is doing an adequate job, or when an attack does occur, should the head of security be fired?
A different way to understand this problem, suggests Dr Cole, is by comparing security to another role in an organisation, the CIO. From the late '80s onwards, companies started waking up to the benefit of computers and as a result, the role of the Information Officer was created and positioned under Operations. In the late 90s, when companies were networked and every employee had a computer, the Information Officer was transformed into the CIO, reporting directly to the CEO and Board of Directors. Around this time, a single metric was decided upon, which would be used as the benchmark for success for the CIO: the five nines, 99.999 percent availability and uptime for IT. With this benchmark, the CIO had simplistic way to communicate their needs and for the board to track their progress. So, first there was the C-level position, and then a clear metric to communicate performance.
Now compare this with the role of Security Manager or CISO. Dr Cole explains that IT security only appeared on the radar for most companies in the late '90s, which led to the role of Security Manager being created and subsequently buried deep under the CIO. This created problems because the CIO would be too focused on IT availability and uptime, often lacking the visibility and insight to cater for security properly. According to Dr Cole, "IT and security are complementary about half of the time, but are also adverse, so you need to have two different people: a CIO and a CISO who are peers. The good news is, as we speak, this is changing, but the problem is that nobody has any clue what a CISO is supposed to do; organisations do not have the five nines of security. This is why we need to create a single metric like the five nines that is focused on a strategic level and can be understood."
So what is the correct metric and who is going to work this out? "I believe we are going to have individual CISOs come up with their own metrics. The ones that are strategic are going to be the CISOs who will survive, and the ones that are too tactical, like focusing on patching, are the ones who will not. The metric needs to be short-term and allow for some level of breach to be acceptable, so that when a breach does occur, the CISO is not immediately fired. Instead, you readjust the metric and the budget. Until this message can get across to the executive board, I think we're going to continue having lots of problems and issues in security."
Sign up for CIO Asia eNewsletters.