An Experienced CISO’s Take on Solving the Data-to-Decisions Gap

By Emily Heath, Avalor Board Member, General Partner at Cyberstarts, former Chief Trust and Security Officer at DocuSign

As someone who has worked as a CISO presenting to boards of directors and now as a board member on the other side of the table, I’ve experienced first-hand the “data disconnect” between security and the business. As a CISO, I always wanted to present the most accurate picture of the company’s risk exposure — and relied on data from my security tools to help me do that. As a board member, I want security leaders to paint a clear, concise picture of where the risks are and what we are doing to mitigate them,  without a lot of extraneous data points in the mix. Both roles need to be able to rely on useful, clean data to make important decisions about securing the company’s most vital assets. But that’s often easier said than done. 

CISOs manage multiple security solutions, create dozens of datastreams, generate dashboards, reports, and all kinds of other output that enables them to build a picture of their security posture and manage their risk. So it seems they would have enough data and metrics to quantify risk for their leadership and help drive business outcomes. Why then, is it so hard to connect data to decisions?

I do understand the challenge. As the former CISO of United Airlines and Chief Trust and Security Officer at DocuSign, I was responsible for using data from my multi-solution security stack to prioritize work for my teams and present a clear picture of risks to my board. The process was always painstaking and unwieldy, despite the breadth of data available to me from which to construct a clear, actionable story around our business risks.

That’s because when it comes to data, more isn’t necessarily more. In fact, when data is inaccessible, duplicative, imprecise, or disconnected, it can often get in the way of decision making — particularly in security. Here’s why.

Everything, Everywhere, All at Once

CISOs are dot connectors. A big part of their job is to make sure teams are communicating and sharing vital information regularly. How can they do that when people already have too much to keep track of? Especially in security, which is often understaffed in most organizations.  

Meanwhile, data is constantly being generated by a plethora of tools - not just security tools: think marketing, HR and more — and they all ooze data. So while the tech stack has grown and spread, with individual functions owning pieces of it, the fact remains that where there is technology, there is data — and so there is risk.  

As CISOs work to get a grip on it all, they must influence engineering teams to prioritize their needs and work with the findings generated by their tools. This is never easy. With data coming from all over the place — from Syslogs to SIEM and everything in between — engineers are often skeptical when asked to rely on data from one source or the other. This dynamic creates “data distrust” which can block progress. And in security, time is of the essence. 

With all of this going on, how can a CISO possibly see everything, understand what the data is saying, and then use that to make intelligent decisions?  Or, to get back where we started, to inform their leadership of the real risks to the business?

As someone who has struggled with the challenge repeatedly, I believe the solution is a single source of truth for security data. 

You had me at “Data Fabric”

When I learned what the founders of Avalor envisioned as a data solution for security, suffice it to say I was pretty excited. I finally felt understood — they had figured out what CISOs and security teams need to make sense of data and become more operationally efficient. I only wish their solution had been available to me back when I was asking my team to pull together spreadsheets of data from disparate datasets, so we could effectively manage our security program and focus on the risks that matter most. That was never a popular request. 

What Avalor is doing goes far beyond data consolidation. They have created a data fabric solution that actually helps security teams understand if they are being successful. Where they may need to invest more, or scale back. And by building a data fabric for security and integrating data from everywhere — legacy systems, data warehouses, databases and more — they are connecting and curating data at different levels, for different audiences and purposes. 

Avalor’s single source of truth approach is, in my view, a giant leap forward in the quest to connect data and security so that leaders can make better business decisions and build trust across teams. 

You can take my word for it or better yet, schedule a demo. Once you see the Avalor Data Fabric for Security™ live, I’m confident that, like me, you’ll never look at data the same way again.