CISO Shares Top Strategies to Communicate Securitys Value to the Biz

In a keynote address at Black Hat Asia in Singapore this week, CISO and former NASA security engineer George Do discussed his go-to model for measuring security effectiveness – and getting others in the organization to listen.

BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.
During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISOs office. It starts, he said, with quantifying that security effectively.
All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful? he asked during the presentation, entitled,
Moving the Security Needle From the Security Trenches to the Boardroom
. You have to be able to answer that and show why.
Communications Breakdown
Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyones lives harder. Do referred to it as ivory tower security, where the security apparatus appears to everyone else to be removed and prone to delivering a litany of nos.
Many of our organizations view the security team as a technical obstacle, Do said. We are CIS-NOs, right? They think we sometimes do things in a vacuum, that we dont understand the impact of the business or at least understand, you know, the pain points the business is having. Theres mistrust of the security team.
He added, The more processes and the more gates that we set up slow down the business and add friction. We often dont weigh that heavily enough in our selection of how were going to design something.
Another communication pitfall exists between the CISO, the CIO, and CTO. All are often dragged into the boardroom together without being on the same page, which can create the possibility for adversarial or competitive relationships. But its vitally important for CISOs to recognize the other tech-related leaders as partners and stakeholders, Do said.
Its not for the CISO to say, Hey, CIO and CTO, these are all the bad things that are going on in your organization. You need to go fix it, he explained. The better idea is to partner on a presentation together to present to the board, so whatever problems we call out, theres a plan of attack, and we can communicate on how were doing against that plan of attack.
Another important strategy is to remind board members that they have skin in the game.
Board members have what they call fiduciary duty, meaning that if the organization gets hacked or compromised and its found that the board members were not focusing on that risk area for the organization, they can be held liable, Do said.
Do encouraged audience members to consider the overhead with every security addition or program.
Each logo you add to your security program will add a bit of technical debt, he explained. You have to consider the cost to set up new processes, the man-hours, the impact on the business, [and] the cost of the product itself.
5 Key Tips for Communicating Security Effectiveness
Do also laid out a five-pronged blueprint for communicating the importance of security programs to the entire business, and how to quantify ROI.
1. Know your audience:
When trying to communicate security results, its important to use language that board members and business leaders can understand, Do pointed out. That includes using simple rules of thumb, such as avoiding jargon and acronyms.
Its also critical to understand that different stakeholders have different lenses. Security engineers may look at the number of attacks that were blocked by the firewall as a measure of success, while infosec managers and directors would rather know about the successful attacks and whether the systems were able to detect and respond to those attacks. Meantime, CISOs would be interested in finding out what could be done to prevent further breaches, while the CEO and board might be more interested in whether the organization lost money, suffered downtime, or ended up with legal liability or brand and reputation damage.
These are all very different questions, all equally important, Do said.
2. Dont start with metrics:
It may seem counterintuitive, Do said, but its important to start with the business objectives when framing security effectiveness.
You may be a hospital, a government agency, a commercial company; whatever you are, you have business objectives, so start with that, Do advised. This is how we generate revenue. This is what were providing to the industry. What are the cyber-risks to that business, given whether or not youre in the cloud, your user base, your customer base? Understanding this will inform you what the metrics should be.
3. Be quantitative:

Once the metrics are defined, an organizations security road map should be aligned. That means investment in all of the projects, the products, the labor, the processes, and so on must be in service to meeting those metrics.
The metrics should be public information, so every single team in the company knows what your goals are and that its been signed off on. This isnt something security is cooking in the kitchen in a silo, Do noted.
Its important to measure what success means in numbers, not anecdotes or qualitative statements, Do added: You have to be able to measure it and repeat it.
4. Remember that security is a team effort:
Do pointed out that all too often, security teams take an us-against-the-world attitude – but in reality everyone has ownership in security processes and should be communicated as such, with clear responsibilities and roles for security in every department.
Even areas like the procurement team may need to own some part of security processes, for instance, Do said. Literally it takes a village to secure an organization, not just a security team. And in recognizing that, you can avoid the confusion over whos responsible, whos accountable, whos consulted, and whos informed. Its critically important because it sets the expectations upfront with your stakeholders on who owns what.
5. Pair empowerment with accountability:
Once security roles have been determined and its clear whos accountable for what, its important to also empower those individuals.
Empowered means, do I have the authority to achieve my objective of, say, patching, for example? Do I have the budget? Do I have the processes in place? Do I have the people to achieve what Im accountable for? Do explained.
To wrap up, Do cautioned security teams to realize that implementing these best practices will be a journey with many obstacles, but that it’s important to persevere.
Always without exception all of us are dealing with some level of challenges in this paradigm, meaning the measuring of security, and how do we communicate to our board our leadership, our owners, our shareholders, that were moving the needle with security? he said.
Do added, Some organizations can turn on a dime; they can go to this model quickly, he said. Others will take a year or more because of bureaucracy, politics, processes, whatever. But I would say dont let that detract you from pushing toward this model.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CISO Shares Top Strategies to Communicate Securitys Value to the Biz