Professional Documents
Culture Documents
Cyber Security Team'S: How To Measure Results, Secure Budget, and Avoid Stress
Cyber Security Team'S: How To Measure Results, Secure Budget, and Avoid Stress
Cyber Security Team'S: How To Measure Results, Secure Budget, and Avoid Stress
TO
Thus, it is not surprising that many CISOs suffer from burnout, with the
average role lasting approximately 18 months, and that mental illness and
stress is increasing issues.
Thycotic has spent the past year reaching out to the IT security leaders
around the world to find out how they feel they are perceived in their roles,
how they measure success, what motivate employees, how to be successful
at getting security budget and most importantly how to avoid stress which
can lead to burnout.
Most recently, Thycotic sponsored research conducted with more than 550
IT decisions makers across the globe in August 2019---including the US, UK,
Germany, Australia and New Zealand---to reveal an insider’s view of how cyber
security executives are managing the unique demands of their jobs. The
increased stress and pressure facing the average CISO is having a significant
impact upon both their professional and personal lives. Perhaps in no other
executive role are the challenges so difficult to articulate and anticipate or the
stakes so high.
thycotic.com | sales@thycotic.com
Key Takeaways and Findings
#1 Security leaders and their teams need to go beyond technology-centric performance measures and correlate
their metrics to business success. This will help overcome the lack of skilled resources and limited budgets
facing many CISOs.
Being valued by the company and meeting performance targets set by the board are the top definitions of success,
while lack of skilled team resources is most likely to act as a barrier to achieve such successes
#2 Using metrics to demonstrate the broader business value of cyber security initiatives is the surest path to
securing an appropriate budget. Satisfying compliance requirements and stopping threats is not enough;
becoming a business enabler is the secret.
#3 CISOs need to cultivate leadership skills that emphasize communication and motivation. Inspiring your own
team as well as all employees can help to minimize stress and burnout in the workplace.
42% 45%
say the most stressful Say the biggest challenges for Feeling important as the ‘business bodyguard’
aspect of their job is meeting retaining cyber security team is considered the most important motivator for
the growing number of members is burnout/stress
employees, while enjoying your job and being able to
compliance and regulatory from long work hours and
demands. pressure, followed by lack of provide for your family are also key.
support from senior leaders
(40%).
thycotic.com | sales@thycotic.com
#1 KEY TAKEAWAY # 1
However, attitudes are changing. More and more CISOs are measuring success in terms of how they are adding
value to the business and meeting performance targets set by the board. Thus, cyber security teams are striving to
become an enabler of the business rather than just a costly requirement, and therefore make it essential that cyber
security is aligned to overall business goals.
Survey Results
Being valued by the company and meeting performance targets set by the board are the top successes, while lack of a skilled
team is most likely to create a barrier to achieve success.
Here’s how IT cyber security execs around the world define success.
In the current climate which of the following best describe what ‘success’ looks like for you?
Knowing that ‘nothing bad happens’ / that there are no major security incidents
thycotic.com | sales@thycotic.com 27% or downtime
thycotic.com | sales@thycotic.com
Global variations among security teams in defining “success”
Being valued by the Just keeping Meeting compliance Meeting performance Just keeping
1 company (45%) everything running demands (44%) targets set by the everything running
smoothly (48%) Board (50%) smoothly (48%)
Meeting perfor- Being valued by the Preventing our Being valued by the Achieving
mance targets set by company (45%) organization from company (45%) consistent pay
2 the Board (42%) being the next ‘cyber increases and / or
security incident’ bonuses (42%)
headline (43%)
Just keeping ev- Preventing our Being valued by the Meeting compliance Meeting compli-
erything running organization from company (39%) demands (43%) ance demands
3 smoothly (36%) being the next ‘cyber (38%)
security incident’
headline (38%)
52% 28%
of survey respondents are struggling to align don’t have a clear vision on what the other business
security initiatives to the business goals. departments measure business success on.
In terms of aligning business goals to security strategies to what extent do you agree with the following statements?
thycotic.com | sales@thycotic.com
Biggest barriers cyber security execs face in achieving success
CISOs say the lack of skilled resources is the main reason for not meeting targets. CISOs also highlighted that
security breaches being out of control and lack of security budget as other top challenges that limit their ability to
achieve goals.
These barriers have a significant impact on existing cyber security teams, causing them to work longer hours to
meet the performance targets, resulting in heightened levels of stress and employee burnout.
What barriers would prevent you most from achieving these success(es)?
26% Change within the business out of my control (e.g M&A, liquidation etc.)
22% Things taking too long to get signed off/ long processes
thycotic.com | sales@thycotic.com
Recommendations ee e
Fr ourc
s
s
The CISO must invest time listening to the executive board and
Re
business peers to learn how they measure the organization’s
success. The CISO’s role must expand beyond simply putting
technology in place for the sake of security, by leveraging
technology to achieve business goals while ensuring cyber risks
are either reduced or eliminated.
By taking a revenue-centric approach, the CISO can convey the The NACD Director’s Handbook on
value of cyber security in terms that nearly any executive or Cyber-Risk Oversight is built around five
core principles that are applicable to board
employee can understand. Articulating and giving numbers to how
members of public companies, private
cyber security influences business revenue serve as powerful value companies, and nonprofit organizations of
indicators. all sizes and in every industry sector.
thycotic.com | sales@thycotic.com
Communication makes the difference in a successful CISO
The key to overcoming misperceptions due to lack of communication is to start at the top. Security teams will find it
extremely difficult to get most personnel on their side if senior management has not bought into the importance of
security. Most security professionals believe their boards listen to them and consider their input, though many still
have difficulty making a convincing business case for security investments.
CISOs are the most important individuals for establishing a productive dialogue with the board of executives. They
can act as a Rosetta Stone, translating security issues from jargon-laden technical talk into familiar and business-
centric language. By focusing on the company’s objectives and backing up their points with evidence, CISOs can
help the board to understand how cyber security impacts the company’s bottom line as well as its ability to innovate
and grow. Taking a business first approach is the best way to reposition cyber security as a positive enabler.
#2 KEY TAKEAWAY # 2
Survey Results
How cyber security execs measure their performance
CISOs are in a difficult situation: they need to find a way to prove business value to the executive board and business
peers or fail to get the much-needed funds that will ensure the organization will survive cyber-attacks. However, most
(45%) of security budget and initiatives have no measurement on how they improve business and (30%) say it is not even
a priority to align security spend to the business success.
89% 49%
of survey respondents indicate their department has measure number of security breaches.
measurable security performance goals/KPIs to meet in
the next 12 months.
Does your department have measurable security performance goals, KPIs or milestones to meet in the next 12 months?
If Yes, do you measure any of the following?
thycotic.com | sales@thycotic.com
45% 30%
agree they have no way of measuring how previous agree it’s not a priority for them to measure success of
security initiatives have made a difference to the business security initiatives once they’ve been rolled out.
overall.
thycotic.com | sales@thycotic.com
Perhaps most important, failure to meet performance goals or establish business
value results in lower budget allocations. According to survey respondents, evidence
to demonstrate success of previous initiatives makes the biggest difference to how
budget is allocated (48%), however using metrics to demonstrate the wider business
impact is viewed as most important.
When justifying security spend which of the following make the biggest difference to how budget is
allocated? When justifying security spend which of the following is the most important?
thycotic.com | sales@thycotic.com
Missing performance goals also has a major negative impact on the entire cyber security team and its leadership.
1%
CEOs pay the price when cyber 2%
When cyber security teams do not meet their targets, it impacts the
CEO with longer hours, shareholder pushback, job insecurity and
bonus reductions.
41%
DO
N’
bonus
NO
%
W
thycotic.com | sales@thycotic.com
Recommendations ee e
Fr ourc
s
s
One of the best ways to get security budget Re
is to approach cyber security projects or
initiatives in the context of revenue protection
or return on investment (ROI). Treating cyber
security simply as a cost, will almost always
guarantee a focus on budget cutting rather The 20 Worst Metrics in
Cyber security
than proper resource allocation. www.darkreading.com/edge/theedge/the-
20-worst-metrics-in-cybersecurity/b/d-
A successful CISO will present budget recommendations id/1335842
based on a ROI/revenue protection mindset using business
language that executive boards understand and can make
decisions based on tangible requests that contribute to the
business. Measuring and Managing Infor-
mation Risk: A FAIR Approach
Watch how you use metrics www.fairinstitute.org/fair-book
Focus on metrics that demonstrate the business impact such
as how much revenue is protected, how much employee time
saved, and how security initiatives improve the efficiency and
productivity when rolling out new technologies or business
CISO Quick Guide to Access
services. Control and Cyber Security
Compliance
Avoid metrics that are presented in technical jargon with https://thycotic.com/resources/global-ac-
cess-control-cyber-security-compliance/
little context or analysis, or statistics and measurements
that don’t genuinely communicate risk. Citing thousands of
vulnerabilities and matching patches, providing MTTD and
MTTR stats, or number of threats blocked will likely confuse or
even mislead your business audience. These types of “vanity
metrics” are simply not acceptable for a CISO seeking to
persuade follow executives.
thycotic.com | sales@thycotic.com
Express your team’s value in terms of quantitative risk
scenarios.
While much attention has been given to qualitative risk measures such as
heat maps, using “low, medium and high” as risk descriptors are meaningless
for most executives. The successful CISO spends the time and effort to
develop a quantitative number, usually in monetary costs, with real world
cyber security scenarios. The key is to create scenarios based on publicly
acknowledged, real world incidents that are comparable to your company’s
size and revenue, including:
Data loss scenario Privacy failure Malicious insider Ransomware attack Reputational
where customer that results in stealing and selling that shuts down damage from a
information is sold substantial fine IP finance department breach that releases
on the dark web confidential
information
Once you’ve done your scenario research, the CISO and cyber security team are in a much better position to
articulate the threats their organization faces in the next 12 months, where the gaps in security lie in these
scenarios, and what it will cost in money and effort
to close those gaps.
But it’s important to describe compliance with a focus on security and business value rather than the traditional
checkbox approach. Meeting audit requirements may get you certified or complaint but that does not mean
you are 100 percent secure. Compliance is usually defined as a snapshot in time, but cyber security requires a
continuous process of reducing business risks.
thycotic.com | sales@thycotic.com
#3 KEY TAKEAWAY # 3
This is a major factor in why the industry is experiencing a shortage of skilled employees as the new talent starting
their careers often view cyber security as too high pressure and look for other exciting but less stressful work
environments. CISO’s must make cyber security an attractive place for new energetic and diverse talent to bring new
ideas and help relieve the pressure on existing professionals.
Survey Results
Here’s what stresses cyber security teams the most
Over 42% say the most stressful aspect of their job is meeting the growing number of compliance and regulatory demands.
33% Long hours and the need for out of hours availability
28% Not able to attract and retain the right staff needed for security roles
1% Other
thycotic.com | sales@thycotic.com
It is therefore not surprising that one of the biggest challenges for retaining
cyber security team members is burnout / stress from long work hours /
pressure (45%), followed by lack of support from senior leaders (40%).
What are the biggest issues when it comes to retaining team members?
40% Lack of support from senior leaders in how to train, appraise and
develop staff
2% Other
29% 25%
say that acting as the ‘business bodyguard’ is the biggest say that being the ‘upholder of ethics’ is the biggest
motivator to “get out of bed in the morning. motivator.
thycotic.com | sales@thycotic.com
What gets you out of bed in the morning?
23% Being the ‘puzzle master’ - the intellectual challenge and pitting my wits
against would be attackers
20% Being an ‘instrument of change’ - I get bored easily and thrive on driving change
thycotic.com | sales@thycotic.com
Recommendations
It is critical that the CISO and Security team find a balance between work and
personal life. The urgent need for business leaders to ensure the teams have what
they need to be successful as sometimes this means more skilled resources, more
security budget and not having to work longer hours to be successful. Cyber-
attacks never sleep but your CISO and security surely need to.
The CISO should be the driver for a positive One way to get broader support from peers and other
experience business managers is to have a companywide cyber
security program and culture. Many organizations
Historically, security has been a negative experience for have created “Cyber Ambassadors” or “Cyber
most employees. When was the last time you heard an Representatives” to act as cross-departmental advisors
employee say how much they loved their Antivirus software to help manage cybersecurity. Their goal is to establish
and how it helps them perform their job? Most employees a “four eyes approach” that ensures someone takes
probably view cyber security as a hindrance rather than help responsibility for identifying suspicious activity
in accomplishing daily tasks---more likely to slow down their and managing security incidents. Ad hoc steering
laptop performance or prevent them from doing their job. committees led by cyber representatives have also been
It’s the CISO job to lead in making cyber security as positive formed to help determine the risks of implementing new
experience as possible, especially when it comes to making technology solutions.
technology invisible and frictionless in the workplace.
Know when not to talk about cyber security and
For cyber security teams, make sure that channels of be a strong listener
communication are always open, and that workplace flexibility
and redundancy are built into work schedules to help avoid While CISOs must display sufficient technical knowledge,
burnout. Taking time away from the workplace periodically they must also be strong communicators. When they
with staff such as a monthly luncheon off site can also help speak with the IT Security Manager and then translate the
to boost team morale. In all cases, give team members the security needs to the business manager, they need to focus
freedom and respect they deserve to use their skills and on business risks and how to reduce those risks with a
judgement in setting priorities and making decisions. measurable return on investment (ROI). The CISO has to
have a clear understanding of the business goals of peers
The CISO must integrate security into the and align to their needs. Security should be viewed as a
corporate culture service to the business, the executives, business and peers,
and employees regarded as the customers.
The successful CISO needs to make security a fundamental
core to the business and employees must never be afraid to Ethics is also a major motivator especially for CISOs and
speak out when they see something suspicious. That means security team members. The team with access to critical
promoting a culture that employees are never afraid to ask for systems and sensitive data that recognizes and highlights
advice or report suspicious activity even if it was a result of ethical and honest behavior will do what is right to protect
something they clicked on. The earlier an employee reports the integrity of data and privacy.
something the lower the potential impact and cost to the
business.
thycotic.com | sales@thycotic.com
s
ee e
Conclusion Fr ourc
s
Re
thycotic.com | sales@thycotic.com
About the Survey
Research was conducted by Sapio Research
in August 2019 among IT decision makers 37%
employing 500+ employees in the following
countries: UK (102) Germany (100) US (203)
Australia (100) New Zealand (50). At an overall
level results are accurate to ± 4.2% at 95%
18%
confidence limits assuming a result of 50%.
Australia UK
About Thycotic
Thycotic is the leading provider of cloud-ready privilege management solutions. Thycotic’s security tools empower over
10,000 organizations, from small businesses to the Fortune 500, to limit privileged account risk, implement least privilege
policies, control applications, and demonstrate compliance. Thycotic makes enterprise-level privilege management accessible
for everyone by eliminating dependency on overly complex security tools and prioritizing productivity, flexibility and control.
Headquartered in Washington, DC, Thycotic operates worldwide with offices in the UK and Australia.
thycotic.com | sales@thycotic.com