How 'Security Scorecards' Advance Security, Reduce Risk

CISO Josh Koplik offers practical advice about bridging the gap between security and business goals in a consumer-facing media and Internet company.

Bishop Fox’s Vincent Liu sat down recently with Josh Koplik, IAC chief information security officer, in a wide-ranging conversation about the all-too-common schism between business and security objectives, his innovative security scorecard, and why strong security will never be a strategic marketing asset for business. We excerpt highlights below. You can read the full text here.

Fourth in a series of interviews with cybersecurity experts by cybersecurity experts.

Vincent Liu: Why do business and security people think differently about risk?

Josh Koplik: Understanding what makes a system secure is easy because it’s a technical problem. Deciding whether or not that’s worth doing from a business standpoint is more complicated. A lot of security people assume that security initiatives are always worth pursuing. If it takes zero resources – no time, no money, no anything – of course you’d do it. Every security improvement comes with a cost, and those costs are not always apparent or worth bearing. 

VL: What do you, as a security professional, wish business people understood?

JK: I don’t think a lot of business people consider the cost of security events. The impression is that these breaches cost outrageous amounts of money, but I don’t think that’s the case. Even in the most high-profile examples, if you look at the breach costs as percentage of annual revenue or some metric that takes into account the size of the target to begin with, it’s not that bad. I also think breaches, in terms of real impact, get overstated as far as reputational impact is concerned.

VL: Are there times when you as a security executive would consciously accept risk?

JK: Security people would do well to accept risk, have a process for accepting risk, and make their business colleagues comfortable with accepting risk or paying for mitigation.

If we have this business that is under-performing, it’s easy to look at the balance sheet of that business and know whether spending $100,000 on a pentest is worth doing. This is one place where CISOs can run into trouble.

Once you get to the point where you are no longer under a CIO, you’re no longer part of a technology organization, and you’re having regular conversations with your CFO, your CIO, with your heads of your business lines, those conversations become easier. Your CFO may not understand stack overflows and intrusion prevention systems, but he knows numbers. So you can say, “Here’s a thing. On a scale of 1 to 10 in terms of importance, I give it a 7. And it costs $150,000.”

VL: Tell us about your security scorecard? Do you actually give out grades?

JK: I use people’s inherent competitive nature in this situation. I issue grades, which makes people work harder so they can beat the other guy.

VL: What does it look like and how does it work?

Source: IAC

Source: IAC

JK: Basically, businesses are listed down the left side. Then, security domains are listed at the top. In each little box, there is a letter grade and corresponding color code. Bs are green, Cs are yellow, Ds are red, and that’s it! That’s the scorecard.

Behind the scenes, there’s criteria; in other words, it’s descriptive. To earn an A in vulnerability management, you have to do this series of things. It’s not long, you can read the criteria for the entire seven domains in fifteen minutes. The grade levels are slightly different-worded versions of the same thing. Whereas a B might state “most,” a C will state “some.” There is enough room for interpretation that you can wiggle between grade levels, but not enough room that things look fake. It’s an A, B, C, D scale; there is no such thing as an A-. I have enough trouble differentiating between B and C as is. ABCD I can describe well. 

Because it’s simple, people at the executive level can understand it at a glance. You can easily present this to a CEO. If a business wants to grow, they will want to do something about poor grades. However, if you go to a struggling business with a bunch of Ds, they’ll shrug and say, “That is the least of our problems. We don’t have any revenue.”

VL: When I spoke to Rich Seiersen at GE Healthcare he said that some things are unnecessary because they don’t progress the conversation. Instead, they end up wasting time and detracting value. What you’re really doing with these scorecards is trying to drive change or to start a conversation, isn’t it? 

JK: Grades don’t make you more secure; they need to reflect practices that you are doing that actually make you more secure. They define what those things are and whether or not they are being done. You need to trace anything you are measuring back to on-the-ground activities that improve security. If you can’t, I question what you are measuring. 

VL: Are there downsides to your scorecard? (Continues on page 2.)

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a … View Full Bio

Previous

1 of 2

Next

More Insights