How to Always Make a Business Case for Security

How to Always Make a Business Case for Security

How can security leaders and how do they go about matching business case to every security action you want to take? Is this the right way to sell security to the board?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Sravish Sridhar (@sravish), founder and CEO, TrustCloud.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, TrustCloud

TrustCloud
TrustCloud is the all-in-one platform to accelerate sales and security reviews, automate compliance efforts, and map contractual liability across your business. Connect with us to learn how you can transform security from a cost center into a profit driver with TrustCloud’s programmatic risk and compliance verification tools.

Full transcript

[David Spark] How can security leaders and how do they go about matching business case to every security action you want to take? Is this the right way to sell security to the board?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me on this very episode is Steve Zalewski. He used to be the CISO over at Levi Strauss, but now just slumming it out here on Defense in Depth. Is that correct, Steve?

[Steve Zalewski] Absolutely. Hello, audience.

[David Spark] Is this a step down or a step down from Levis?

[Steve Zalewski] Oh… [Laughs]

[David Spark] You know what the correct answer is, by the way, but I want to hear the real answer. [Laughs]

[Steve Zalewski] Of course it’s a step up.

[David Spark] There you go, correct answer. Our sponsor for today’s episode is Trust Cloud, the fastest way to past audits and security reviews. More about trust Cloud later in the show. In fact our guest is from there. But first, Steve, your most quoted line – , “How does this help me sell more jeans?” That quote thatyou and many others have repeated, quoting you, will be carved into the gravestone. Hopefully not any time soon. It’s the line that cuts to the chase and says, “Give me the business case for your product.” So, are there cases, Steve, where a security professional can love a vendor’s product but fail to ever purchase it because they can’t make a business case for it?

[Steve Zalewski] Well, the short answer is yes.

[David Spark] And have you been that person? Have you been like, “Oh my God, I love this product, but I can find no reason to use it.”

[Steve Zalewski] The way I describe it there is they weren’t able to make their transition from something that was interesting to important. So, there’s lots of stuff out there that we find interesting. But if you can’t make the business case then it’s really hard to make that transition. So, yes, I had those cases multiple times because I thought it was important, and I had it in the back pocket waiting for the right business case to present itself. Definitely.

[David Spark] Very good point. Well, we are going to discuss this in great detail, and I’m really into this. Because the way I see it, your line of, “How does this sell more jeans,” we’re going to try to peel back the onion of that line through this whole episode. And the person who’s going to discuss it with us is very aggressive on this topic. Extremely aggressive. So, he is so the perfect person. He is our sponsored guest, founder and CEO of Trust Cloud, Sravish Sridhar. Sravish, thank you so much for joining us.

[Sravish Sridhar] David, Steve, thank you so much for having me. A mentor of mine told me a few months ago that you’re not a person in the security and privacy community if you don’t talk to David and Steve. It’s a privilege. I think I’ve arrived.

[David Spark] I have to say whoever that person is, probably the smartest and I’m going to say probably the most handsome person we all know.

[Laughter]

[Steve Zalewski] I’m speechless. How’s that?

How do I start?

3:03.375

[David Spark] Matthias Muhlert of HARIBO essentially gave a five-step detailed analysis. “One, identify company strategy goals. Two, identify business processes supporting these strategic goals. Three, identify cyber risks, not threats, with these processes. Four, perform risk management on these risks. And then five, link it all back enriched with financial data.” And Robert Vitelli of AArete said, “My job is not to help you sell more jeans. It is to ensure that you can continue to sell jeans. Selling jeans is the marketing and sales departments.” Which I thought that was an interesting take right there, Steve. I like that prescriptive five-step plan from Mathias. Just, again, there’s more to this but a very sort of logical process. What do you think, Steve?

[Steve Zalewski] So, what I liked about Mathias… And I would say over the last three, four years, what we’re seeing is the question of how does it sell more jeans is becoming relevant to how you want to state your roadmap and your security controls. And so it’s not just a technical conversation or an audit and compliance conversation. What we’re seeing is more and more people understanding that the business perspective is becoming more relevant for how the board wants to hear the argument, and more and more CISOs are realizing that they have to expand their vocabulary from one of not just technical risk or cyber risk but business risk. And so I think this is excellent. This is a great five-step process. But the overall is however you want to justify the business risk process is the realization you have to heave one.

[David Spark] Yes, all right. Sravish, you are nodding your head here. What do you think of this seemingly pretty logical process?

[Sravish Sridhar] I agree that it’s a logical process. However, I think it’s missing the mark in one important perspective, and that is that many CISOs in companies have an important responsibility, but unfortunately they don’t have the authority. And they’re expected to do great things for the business. They’re expected to protect the business. They’re expected to create processes to mitigate or eradicate risks. They’re expected to implement things that affect the entire organization. But then they get a lot of pushback because the people and the company’s buy in that they need they don’t have the authority to implement it.

[David Spark] I believe, by the way…I believe it was Gene Spafford [Phonetic 00:05:50] of Purdue University, a professor there, who is one of the most quotable people. I’m going to probably butcher this quote. But he has some line that if you are given the risk or the requirements without the authority to change them, start updating your resume.

[Sravish Sridhar] That’s exactly right. And so my perspective is slightly different compared to what Mathias said. I feel like the CISOs should really think of themselves the way the CEO would think about this problem. And ultimately most CISOs I’ve talked to have said, “Look, I’ve got three important things that I’m always thinking about.” One, like Steve said, what do the boards of directors care about. The second is what do my customers care about. Because if I’m not growing the business then my job is not being done correctly. And third, how do I ensure that the employees I have are completely satisfied and happy in doing their jobs. And so if you can frame the discussion of business impact around am I putting the board of directors in a position where they understand what I’m doing and they feel like I’m first and foremost protecting them but also protecting the company… Second, am I doing the things that my customers want me to do so that I can drive revenue and reduce liability. And third, can I do that in a way in which my employees are not going to get ticked off at me and they’re actually going to appreciate the way I’m doing things, and they don’t think of this as a burden. I think it’s a win, win, win.

What should we be measuring?

7:19.030

[David Spark] Grant Yost of VillageMD said, “Don’t overlook quantifiable items given to you.” I like this description. “For example, does your cyber liability policy require an investment to implement a control? Perhaps a premium reduction or the ability to be ensured at all is the number you need. Are you in a regulated industry and required to maintain risk assessments and corrective action plans?” So, Steve, this seems like the easiest place to begin. The idea of you’re being told you have to do something to achieve a certain level, number, whatever it is. That’s pretty directly aligned to the business, isn’t it?

[Steve Zalewski] Well, the thought here is the carrot versus the stick. And it’s easy if you have a stick. Audit and compliance, regulatory compliance historically has been, “Here’s the stick that makes you have to do something.” But making me do it does not mean that the business is aligned to the value in doing it. And therefore I’m introducing friction. What I don’t want to be doing is introducing friction. And so it’s what Sravish said, too, which was the people component. It’s so critical that they see the value in what you’re doing to the business that they don’t see it as an imposition. And if you get that right, you can actually impose a fair amount, but they see the value proposition. I always tell people it’s great that you have audit and compliance on your team. That’s an awesome stick. But there’s got to be a carrot component for them to feel like they have a choice in the matter and they have some opportunity to influence that decision to be able to support their business requirements.

[David Spark] All right, Sravish, I think this fits right neatly into the offering with TrustCloud, isn’t it? Yes? Explain.

[Sravish Sridhar] Our objective at TrustCloud is very simple. We looked at the entire governance risk and compliance industry, and this is an industry that has existed for many, many decades. And the conclusion we came to was it’s still in the stone ages because it’s a pencil and paper exercise. It’s still extremely document driven. And once the document is prepared, it’s put on a shelf. And what most people don’t understand is what is the purpose of the document, what is the value of the document, and what’s the consequence of not adhering to what the document says. And so to build on what Steve said, what we have learned is most employees in an organization actually want to do the right thing, but they struggle to understand why they’re being asked to do something.

And so in terms of measurement, it’s important to start measuring from the bottom up. Which is if you’re asking a person to do something, for example secure your laptop, or make sure that you’re using your keycard when you come in and out of the office, or give consent to get a background check done…Whatever the issue is that you’re asking somebody to do, explain to them in layman’s terms the business impact of that so that they can feel like they’re a custodian of trust for their organization. And if you explain it to them, what we’ve found is most people actually want to do the right thing.

And if you lay it on top of that and bubbled it up to how all of those individual actions align with three high level measurements – first, how are you driving revenue to close new deals. Second how do you reduce liability so that you’re not putting the company in jeopardy. And third, how are you increasing productivity not only for yourself but also for your coworkers so that you’re reducing waste and you’re being a good custodian. And if you tie it to those three things then what you can prove is every individual action as well as your entire security program becomes a profit center. You drive revenue. You reduce liability, increasing productivity. So, you’re transforming security and privacy into a profit center, and you can have a very meaningful discussion with the board, your CEO, and the CFO.

[David Spark] This is what I was saying at the beginning – that you’re very aggressive on this topic. That you hope to get to a point where security professionals can be measured on performance connected to revenue. Is this a space where this could happen? Where could we actually see this happen? And Steve is nodding his head because we’ve asked this question of our community many times before of not seeing security as a cost center.

[Sravish Sridhar] For example I’ve seen many large CISO organizations and mature companies now have a dedicated department either called field security or customer assurance. And they have professionals whose job is to answer security questionnaires. I really feel sorry for those professionals because I think friends don’t send friends security questionnaires, and security questionnaires should be abolished. But I’m going to leave my baggage outside this podcast. But that’s what they do. They help support the sales team by answering security assessments. And if the security leader can show that the security program is helping accelerate revenue or even generate revenue and the controls I have is because my customers and prospects are asking for it, that’s an immediate way to show and measure the revenue generating aspect of your security and compliance program. Very simple, but nobody is doing it.

Sponsor – TrustCloud

13:07.241

[David Spark] All right, before we go on any further I do want to mention our sponsor, TrustCloud. That is Sravish’s company. So, does your team spend too much time on security questionnaires? The thing that Sravish was just mentioning. Friends don’t send friends security questionnaires. I have to agree with that. Well, TrustCloud is the fastest way to pass security reviews from Fortune 500 companies like Visa, Wells Fargo, GE, and Deloitte. TrustCloud is the only product that includes both a security portal to publicly display your compliance program with an AI powered security questionnaire response engine. With TrustCloud, you spend less time on security reviews, and you speed up the sales process. That’s where security can kind of connect to revenue. Right?

So, TrustCloud creates a trust portal so you can share your compliance posture on your website. By connecting to your security program, there’s no need to manage a static knowledge base or work with a clunky RFP tool. By proactively sharing your compliance posture, you can reduce the number of questionnaires you receive. And robust admin controls allow you to easily customize the content that each user can access with documented permissions, company data rooms, and an embedded NDA process. When you do receive a questionnaire, TrustCloud’s AI powered automation helps you complete them faster than ever.

So, those are the people who are not your friends. But simply import a questionnaire, and their AI will make smart suggestions based on your previous replies and current security program, answering over half of the typical questionnaire. So, TrustCloud reduces the cost and time required to get audit ready and pass security reviews. Visit trustcloud.ai/cisoseries and connect with one of their specialists today. Learn how they can help you save time, resources, and win deals fast. Once again, that’s trustcloud.ai/cisoseries.

How do we go about measuring the risk?

15:09.152

[David Spark] Jonny T. of Johnny Tyres Limited said, “Business risks, as you know, basically boil down to can it affect our revenue, can it affect our compliance regulatory legal standing, and does it affect delivery of the services our customers care about.” And Chris Hyatt of risk3sixty said, “Security can help align to business objectives in three ways. Risk management, reduce the risk of incidents, cost/complexity reduction, ease your compliance, reduce friction with engineering, optimizing IT. And third, revenue generation/customer trust, security certification, secure b2b integration, security requirements, and contracts. These almost align directly to the business,” said Christian. Steve, this seems like a good place to start like, all right, is it important, does this align to some business objective. Looking at this list would be a good place to start, yes?

[Steve Zalewski] Yes. And I want to introduce efficiency versus effectiveness. Because when you’re looking at the business value… And Sravish was referencing this earlier. Which was if I’m looking at the business, I want to generate more revenue, or I need to protect my brand. I need to protect the consumer data that I have. That ultimately are the two biggest ways that I can affectively do more. But what you’re also realizing is that’s effectiveness. There’s an efficiency. Vendor security assessments, the vendor questionnaires, the SOC audits, SOC2, whatever you want to do… There’s this huge middle ground about how do you demonstrate that the customer can trust you, the vendor. That your security controls are sufficient. That they can trust you because they are putting their company at risk in buying your product. They’re a part of your risk management.

And so this is the efficiency part, which was as a vendor how can I put all that documentation in a trusted place in a brokerage that I can share this in order to allow my security team to be very efficient at answering these questions over and over again to be able to enable the effectiveness of sell more jeans because I’m protecting my brand or I am basically delivering high quality capabilities so the likelihood of breach is low. That’s what we’re really talking about here is those concepts and those foundational ways of doing this.

And so why I like this is that’s how you go about measuring it. There’s no right answer. But every measurement now is moving back to the business, to you’re having a business perspective as opposed to, “Oh, only 80% of my people have multi factor authentication enabled, and I want to have 100% zero trust in my environment. So, how do I get the other 20% on MFA?” That conversation is still relevant, but it’s becoming less and less important as we’re understanding the business risk where security is necessary to sell the product if you’re a SaaS vendor. Or if you’re Fortune 500 where I was, where I needed to be able to have good enough trust in all these vendors that I would put them in front of my selling process. Meaning to sell jeans or to protect the consumer data. And that’s what I…when we were asking this question and having these conversations is the realization that more and more that’s becoming top of mind. We are maturing as a security practice to realize what that business conversation looks like and how to have it.

[David Spark] Sravish?

[Sravish Sridhar] I wholeheartedly agree with everything Steve said.

[David Spark] Yeah, he was nodding his head the whole time.

[Sravish Sridhar] I’m going to add to that where the geek in me is going to provide an enhancement to what Steve said, which is I’ve seen lots and lots of risk registers, and this is the state of the art in measuring risk, which is the question – how do you measure risk. And every risk register that I’ve seen is mostly either a spreadsheet, or it’s a spreadsheet on a SaaS website. And a lot of the work is done manually by humans, and it reminds me of going to a doctor’s office and sitting down at the waiting room and filling out an intake form where I say that I have a six-pack, and I weigh 150 pounds, and I don’t smoke, and I don’t drink, and I sleep ten hours a day, and I’m a perfect human being. And then I go into the doctor’s room, and they take a blood test. And they ask me to run on a treadmill, and they decide that I’m overweight, and I might have serious health issues.

And the layer I want to add to what Steve said is risk assessment needs to be enhanced and transformed to become programmatic. We’re relying too much on documents. We’re relying too much on spreadsheets, and we’re relying too much on manual assessments where a lot of people who are doing the assessments are not doing them well. And we’re basing the entire risk profile of a decision based on an ineffective process. So, the objective needs to be how do you build a risk assessment process where you’re measuring it with APIs or you’re measuring using programs rather than primarily doing it with humans. I’m not saying the humans should not be involved. There needs to be human oversight and judgement. But the data coming into the process needs to be programmatic.

[Steve Zalewski] I agree. I’m going to add another on top of this because now we’re getting to the heart of it. This is the… We’re going to call the baby ugly without identifying the parents. Which is everybody understands that vendor security assessments and SOC or GDPR, whatever you’re doing, are all good, best efforts in a very immature market. We can’t agree on what risk measurement looks like yet. We have a set of frameworks. We have questionnaires. We have all these ways based on verticals to try to do some measurement, but we’re years away from actually being mature to understand how we can do it when we’re all willing to trust the output of whatever the programmatic input is. Okay? So, all you ever hear with security practitioners on both sides, whether you’re the vendor or whether you’re the client is, “I hate the vendor security assessment.”

We know that they’re not really valid. They are an indicator at best. We all know that a SOC2 type 2 is okay. Or pick the one that you want. I just picked that one. A PCI. They’re indicators, but they’re not absolute. And it still comes back to… And there’s no independent brokerage to be able to know this. So, here we are saying it’s stupid, and yet do we then to each other? We send vendor security assessments. Or we go, “Well, the SOC2 type 2 is okay, but it’s not good enough.” We’re not figuring out what is good enough. We’re not all acknowledging this. And yet from a business perspective then working to each other to go, “Well, what’s good enough? Let’s slow down. From both sides of the equation, let’s acknowledge that problem and why,” to your point about the business maturity. And now knowing that, what can we do to lower the friction for the effectiveness and the efficiency.

[Sravish Sridhar] And, Steve, like you said, there’s an indication. But the problem with all of those examples you gave, which is security questionnaires, or SOC2s, or PCI is it’s an indication in a point of time. By the time you send me your SOC2 report I guarantee you you’re not complying with X%. Whatever X is, you’re not complying with X% of what the auditor saw. And that’s part of the problem right now is that there is no continuous, and real time, and trustworthy way to measure trust. And if somebody can solve that, we’re going to be in a much better place.

Whose issue is this?

23:58.419

[David Spark] Jim Rutt of the Dana Foundation says, “Achieving fluency in your organization’s key financial reporting and learning to tie controls there wherever possible makes it easy for the CFO and COO types to understand where controls are relevant and how risk management is applied directly.” And Daniel Luechtefeld of AlgoSec said, “When I began my mentee journey towards CISO I did not select a CISO as my first mentor. I selected a CFO. I stand by this choice. I have learned the hard way that not only must infosec investments be tied to financial KPIs, they must be tied to specific KPIs that the CFO weights most heavily. They must meet the CFO’s mental frame. Any other approach leads to slashed budget and loss of infosec staff.” Sravish, I have yet to hear someone have a CFO as a mentor. I love that idea. What do you think?

[Sravish Sridhar] It makes total sense to me. Before I started becoming…even thinking of being a CEO, I had chief revenue officers and VPs of sales as my mentors because I knew that if you’re going to be a great CEO you need to be a great sales person. Because being a CEO is a sales job. And I think that in the CISO world, aligning yourself and being thoughtful about what drives both the top line and the bottom line from a financial perspective is important insight to have, and it makes sense to have a CFO as your mentor but also it makes sense to really think about the importance and prioritization of your security and privacy program from a financial perspective.

[David Spark] Steve, have you ever had a CFO as a mentor to you?

[Steve Zalewski] I haven’t had a CFO as a mentor, but I’ve definitely had them as a task master.

[David Spark] Had you had them as a mentor maybe they would have been less of a task master to you. Yes, no?

[Steve Zalewski] So, here’s what I would say, too. Which is I’ve been in this industry for a long time. And it’s only in the last three to four years that CFOs and CISOS are realizing that they have to work together. CISOs historically are technologists under the CIO. They do measurement based on technical efficiency, not on business effectiveness. And so the beauty for Jim and Daniel is acknowledging now that we as CISOs are starting to realize how to have that financial conversation with the CFO, not to come in and say, “We’re at high risk, and I need another hundred thousand dollars and five people.“ But to come in and simply say, “What are the key KPIs for this company? Where in the line of businesses is that? What does the business impact analysis look like,” so that I’m able to map the value proposition of the security organization against the business value proposition for the company. So, we’re speaking like CEOs. That’s why CFOs now are good mentors, but it also means the CISO is ready to have that mentorship. They understand it’s important because they’re also realizing how they want to have the conversation with the CFO to have a cyber security business risk conversation.

Closing

27:27.771

[David Spark] Good point. And that’s where we will wrap it up. Now I will quickly ask the two of you, tell me which quote was your favorite and why. Sravish, I begin with you.

[Sravish Sridhar] My favorite quote was Jonny T.’s quote. Partly because his name is Jonny T., and he’s from Jonny Tyres Limited, and I’m very, very curious to meet this person and understand the background of the name of the company. But I think he nailed it really well when he said that business risks do boil down to three very simple things – revenue, the impact on compliance or regulatory standing, and does it affect your customers in any way. And it’s a really nice framework to think about it.

[David Spark] Yeah, that simply sums up everything. We got lots of great quotes here that took us down different paths, but that did sum it up nicely. Steve, your favorite quote, and why.

[Steve Zalewski] Well, I have to go back to Robert Vitelli from AArete, “My job is not to help you sell more jeans. It’s to ensure that you continue to sell jeans. Selling jeans is marketing and sales department.” I would argue that the conversation we had today is a great understanding where from that perspective it’s actually blended. That it’s not the marketing and sales departments’ responsibility only to sell more jeans. That we actually have a role to close those deals. And so therefore I want to come back to that for people to realize the simple question of how do I sell more jeans really incorporates all of those facets.

[David Spark] Good point. All right, I want to thank your company, TrustCloud. That’s trustcloud.ai/cisoseries. Go check them out. Sravish, anything else you want to offer or suggest to our audience?

[Sravish Sridhar] The last thing I’d like to say is that everybody in the audience should really think about how do you take governance risk and compliance for the entire field of GRC, and how do you transform it into something that’s going to impact your business positively. And most importantly, go to your GRC team and give them a hug. I found that GRC professionals are kind of the Miltons in the movie “Office Space.” They are really, really important to an organization, but very few people understand why. So, go to your GRC professional, give them a hug, and give them better products and tools to become trust champions for their business.

[David Spark] By the way, if you have a sexual harassment policy at your company, you might want to back off on that. But…

[Laughter]

[David Spark] Because we do not want any phone calls or emails saying, “Well, the CISO Series told us to hug you. Don’t blame me.”

[Steve Zalewski] [Laughs] I love it. Well, either that or go to the CFO and say, “I need you to take my GRC team out to lunch.”

[Sravish Sridhar] There we go.

[David Spark] All right, everybody. Thank you so much for your contributions and for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.