“You cannot manage what you cannot measure.” Blah blah blah whatever.
Tell me: How do you measure the likelihood of marauding bands of gangsters holding your business hostage and demanding a ransom?
How do you measure the risk of a foreign army waging de facto war on your company?
From which direction will the enemy attack? When? With what force? For how long? How much damage will you take? What about the known unknowns (“grey swans”) and the unknown unknowns (“black swans”)?
These are strategic questions that cannot be measured.
That's why it's called the “art of war,” and not the “bean-counting of war.”
There is a reason all insurance policies have a war exclusion: The risk of war is not insurable. It is not measurable using any meaningful actuarial standard.
So as a CISO, your job is the military defense of your employer. But your CEO and board are demanding concrete KPIs for your team. How do you communicate this to your CEO and the board?
Well here's a good start: Legal and financial risk management generally assumes a competent legal system to fall back on. It also assumes fundamental things like, I dunno, nation-state borders.
If that last bit sounds crazy to you, consider that the Treaty of Westphalia is obsolete. That foundational cornerstone of modern international law that defines physical borders as sovereign limits? Yeah, that's a dinosaur.
When a foreign country's soldiers cross into your territory, boots on the ground, that's an act of war... but what if they hack your country instead?
Where are the borders? If North Korea attacks and destroys my employer, an American company, is that an act of war? I think folks in Washington would chuckle if I seriously suggested such a thing.
The U.S. military and border police are not going to defend my employer from attacks by foreign armies or international criminal gangs.
We are on our own, folks. The cavalry isn't coming. We live next door to every military, intelligence agency, and gangster in the world.
Cybersecurity grapples with raw power problems presented by adversaries who operate outside of the law and without consequence.
The only difference between a CISO and a military general—and it is a big and important difference—is that a CISO is 100% defense-only, and may never, under any circumstances, engage in offensive security operations against their adversaries.
If you think ethical, legal defense matched against extra-legal raw power offense is not a fair fight, then you would be right. But that is the world we live in today.
In a land war, a general might choose to attack a foreign battery of artillery as a means of defending his front lines. In cybersecurity, a CISO has no choice but to suck it up and take whatever punch that gets thrown.
So what can you measure in cybersecurity? You can measure the effectiveness of security at the tactical level. Are things buttoned down and in good order? Are you getting the basics right? This can and should be measured.
But at the strategic level, trying to measure cybersecurity risk in the face of human adversaries will only narrow your field of vision, and you'll wind up like the French and their fabled Maginot Line.
Y'all did high school world history, I hope? Cuz the Germans just went around.