Talk Data to Me: A Former CEO Reveals What They Really Want To Hear From CISOs

The former CEO of Splunk and Avalor Board Member Doug Merritt knows more than most about what it takes for CISOs to influence executives and board members. Here, he shares his insights into how security leaders can use data to their advantage to drive outcomes that work for everyone.

‍

Q. Gartner predicts that by 2025, 50% of cybersecurity leaders will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making. Clearly, CISOs are struggling with data. Specifically, presenting the right data to decision makers. Why do you think this is? 

It all starts with the complexity of today’s security landscape. The changes and enhancements in technical architectures over the past few decades, from client/server, to multi-tiered internet architecture to the latest and greatest from the cloud service providers, have been monumental in their capabilities, but also monumental in the dramatic changes to systems design and operations. To keep pace, the cyber community has had to deliver a constant stream of new cyber tools that understand and are optimized for the changes in the underlying technical infrastructure. This pace of change has been awesome, and absolutely relentless.

Of course, each new component needs a way to communicate its state, status, health and other key factors. And, not surprisingly, the cyber vendors don’t natively synchronize with each other. They’re in a constant battle to both progress their offerings, but also, differentiate their solutions from their competitors. Which means that there isn’t much consistency in what needs to be measured, collected, or communicated; or how it’s measured, collected, or communicated. This leaves CISOs with a dense and cluttered landscape - and a massive amount of jumbled data. Data that is hard to understand, much less synthesize and rationalize. 

‍

Q. That reality resonates with me. But, CISOs and their teams are still faced with the demands to collect and report on data. How do they manage that task?  

There is an abundance of choice on the technical options to find, organize, gather and act on data. Given the importance of data, as well as the demands to interrogate and understand data, the data tools and solutions landscape has been almost as iterative and prolific as the cyber tools landscape. As just one data point, DB Engines now tracks over 20 categories of data stores, (relational, key-value, graph, time series, document, spatial as just some examples) across nearly 400 unique solutions. Complement this with the thousands of tools that surround these data stores and you begin to get a feel for the paradox of choice that most face when it comes to data.

However, the above just represents the data tooling, not what executives are asking for, which is data driven insight and decision making. When a security leader wants to put together a presentation to their senior leadership, they are faced with the challenges of finding, collecting, sorting through and attempting to make sense of an ocean of swirling and confusing data. As they take a step back, they face seemingly simple questions: What really matters from each of these data sets? Are they redundant? Am I missing something? What story is my data trying to tell me? And, does my data story even make sense? These questions keep a CISO up at night — particularly the night before they meet with their Board. 

This is where offerings from a company like Avalor become a defacto mandate. Avalor is able to leverage best-of-breed data tooling and technology, and turn their energy and focus on the delivery of cleansed, curated distillate and rationalized data. Turning the swirling chaos of jumbled data into a high quality semantical layer. A “data fabric,” optimized and tuned to the needs of the complex and mission critical security landscape. 

‍

Q. Ok, so now CISOs can better tackle the data gathering and integration piece. How does that translate into credibility gains and actual decisions from leaders that will help the security program and business overall?

This is not a new problem, but it’s becoming a bigger one as security gets more complicated. CISOs and Boards have long struggled to understand one another and collaborate to do what’s best for the business. Today, with risks around every corner and breach costs rising, the stakes are higher, and so too is the tension between stakeholders.

This isn’t intentional of course. It’s just that once a CISO’s team is able to find, identify, capture, and understand this massive volume of data, they’re then faced with the difficulty of translating technical jargon into business terms that decision makers can understand. Compounding this issue are the many iterations and perspectives on standardized metrics and measurement frameworks for cybersecurity, which make it difficult to compare risks across different organizations or industries. 

Keep in mind, most board members have only a basic understanding of security and how it functions to keep the business safe. So CISOs need to present data that is clear, concise, and at the same time, strategic - they need to tie their data story to the core risks and opportunities for the business. Data should be able to help them do that, but historically it has actually gotten in the way of this clarity.

Here again, this was a problem that Avalor saw as an opportunity to help both sides of the table. In building their Data Fabric for Security™, they understood that “cleaning up” the data was the foundation, and that creating context for the data also had to happen in order for it to be useful. By building a set of data models for each major cyber area, beginning with vulnerability management, they are doing the heavy lifting of context creation for security teams. This in turn, helps them build a clearer picture of risk across the enterprise for Boards, so they can make the right decisions.

I was pleasantly surprised that, being from a data background, the Avalor founders understood nuances like this and really looked at the challenge holistically, and from a CISO’s perspective. 

‍

Q. Beyond solving the data-to-decisions journey with a solution like Avalor, what else do CISOs need to know or understand about working with their C-suite and Board?

It’s interesting. CISOs, of all people, should really understand the headspace of executives, which is to say it’s very crowded; they are overwhelmed and under tremendous pressure. Most do, but they can forget that security is just one imperative in a world of limited resources where tech is proliferating across enterprises - think digital transformation - and all of it requires time, attention, and most of all, budget. 

This is why I continually stress to CISOs the importance of reducing the signal to noise ratio when working with their leaders and with their peers across the business. While cybersecurity awareness has risen significantly in most organizations, a cultural divide between the security and business functions still exists, with business decision makers struggling to understand how they should translate the activities of an organization that they often view as a cost center into business critical deliverables. 

Soft skills alone aren’t going to bridge that chasm. Again, it goes back to data. For too long, security teams have been collecting oceans of it, yet may still be unable to answer simple questions from the business about what their priorities are, what the current risk posture is, etc. I honestly believe that’s because the security industry has focused on generating the data - as if data alone in a silo is really useful — and not on making it work for them to grow and protect businesses. I’m glad Avalor recognized this gap and is building a solution that will finally allow teams to focus on the work that really matters. And, to enable CISOs to provide their executive team and boards with the data that really matters. That way, everyone can sleep better at night.