Enough Gut Feelings and Splashy Headlines—Give the Board Metrics

Information security isn’t just about gathering data, analyzing it and plugging vulnerabilities in order to protect the company. It’s also about communicating.

Communication is central to what Balbix offers its customers. And a perfect example is the emphasis it places on communicating with the board of directors.

In a recent briefing for TAG Cyber analysts, Chief Marketing Officer Rich Campagna started right there. Way too much of the talk about cybersecurity is based on gut feelings and splashy headlines, he said. That’s not what the board needs to hear. It won’t help them prioritize their efforts, and it’s not the language they speak. They want metrics that quantify the risks.

He offered an example. A huge semiconductor company was worried about a bug in Firefox, Campagna recalled. It was described as a critical vulnerability, and the company was gearing up to muster a large team to undertake the fix. That’s when security delivered more information. It turned out that 90 percent of the company’s Firefox browsers hadn’t been even been opened during the previous three months. Suddenly the big job wasn’t so big. Or so pressing. Maybe the resolution was to remove an asset that wasn’t very important.

That’s what the Balbix platform can do, Campagna explained. It helps a company assess problems and the extent of the exposure. And then use that information to craft and prioritize appropriate solutions. That works a lot better than opting for “the latest and greatest” solution, or tackling the perceived largest vulnerability, he said. They may not even be relevant to your industry.

Balbix, based in San Jose, was founded in 2015 on the premise that the scope of cyber is too massive for humans to tackle alone. Much of the work was still manual, Campagna said, and the company was convinced it had to be automated to be able to help a business predict where breaches were likely to happen.

Artificial intelligence was the key. It’s what companies needed to discern the risks, quantify vulnerabilities and identify weak spots. A board doesn’t want promises or reassurances. When it has questions for the security team, it wants answers—answers to questions like: Where are our greatest risks? How large are they? Which areas should we prioritize? And can you tell us a month from now what progress you’ve made?

When Campagna turned to the platform itself, he reviewed the metrics that explain how it works. But there’s no abstruse formula that you have to be a physics major to understand. It’s all plain English. Risk=Likelihood (of a breach) x Impact (of a breach). He then defined the two terms. Likelihood is a combination of threats, vulnerabilities, exposure and mitigating controls. Impact is based on the business criticality of the asset targeted.

The platform builds risk profiles that begin with an analysis of the company’s attack surface. How does the software prepare such an analysis? Campagna shared a slide: “Balbix continuously observes your extended enterprise network inside-out and outside-in, to discover the attack surface and analyze the hundreds of millions (or more) of data points that impact your risk.”

The data is obviously different for different companies. Plus some companies are not looking for one big solution, Campagna said. They may want to customize their approach for each business unit. That’s one reason Balbix doesn’t lock customers into the platform’s presets. They can avail themselves of the software’s flexibility.

Take lawyers, he continued. In-house lawyers may be most concerned about data related to their companies’ intellectual property, or data that is most heavily regulated. Law firms may want to be sure they have taken every precaution to protect their client data. Some firms and law departments may have catching up to do. They may not have established their priorities. They may not be sure where their critical data resides.

One of the things that Balbix clients really like, Campagna said, is “we give them, as soon as they turn on the product, an understanding of the assets on their network,” And that’s often something they’d never had before.

At the end of the briefing, Campagna cited three big benefits customers get.

  • Risk insights they can use to protect their data.
  • Prioritized security tasks that demand immediate attention, like unpatched software.
  • Information that the CISO can communicate to the board of directors and management—in language they can understand.

And if you think that last item is no big deal, the Ponemon Institute found in a recent survey that only 9 percent of security teams felt that they were highly effective communicating security risks to their boards and C-suite colleagues. That leaves a lot of room for improvement.