It’s that time of year when you’ve inevitably written notes to your organization and leadership about all your team’s achievements over the year (and possibly quietly shuffled all the things you didn’t get done into next year's plan). Of course, you also highlight how much unplanned work you dealt with, the new threats and vulnerabilities you handled, and maybe an incident or two successfully contained as well.
But, in general, for most of the year as a profession we’re really bad at communicating our successes. It is typical, as with other risk disciplines, that our work goes unnoticed and that as teams and leaders we might only be visible when there is bad news. The bad news could take many forms, from vulnerabilities to resolve by driving the whole organization to extreme activity though to incident response. If these are the only times you or your team are visible then, as valued as you might be for those, it is still inevitable that you may attract a bit of a “merchant of doom” brand. Or worse, that people really do think only bad things are happening on your watch.
Naturally, this is mostly unfair given you have likely had immense success in thwarting countless incidents, forestalling many emergency vulnerability responses and have had the wisdom to build defense in depth so that micro-crises can be more leisurely managed as other controls pick up the slack. You probably also witness the victory laps of others in their deliverables that were in no small part due to the efforts, partnership and likely even tooling provided by your team - but you feel good nevertheless that the wider team had that success.
Now, you can be stoical about all of this - and surely if there were a guiding philosophy of information/cybersecurity it would be stoicism - or you can make a more continuous effort to better market your success.
Many in the industry are intrinsically uncomfortable doing this as it can smack of over self-promotion. However, remember that advertising your succes is actually honoring the efforts of your team, your internal partners and colleagues, and your leadership for their support. The more you do this the more you attract support and resources to better mitigate risk which is, of course, central to your role. So, communicating your success is a critical part of the flywheel of risk mitigation.
Let’s look at some examples of how to do this.
1. Incidents
The classic case is incidents. Your main moment in the sun might be in the middle of an incident. If successfully detected and recovered from then you will likely get some kudos. But, too many of these and leadership might conclude you’re not doing an effective job. However, you can provide a better perspective if you place these incidents in some context, such as the percentage of incidents experienced vs. incidents that were avoided because threats were thwarted or risks were mitigated. Of course, this can require some degree of subjectivity depending on how you measure it. You could use a regularly communicated set of messages such as: this month our controls stopped 100,000+ phishing emails, repelled 200,000+ perimeter intrusion attempts, deflected 150,000+ malware infection attempts, and so on vs. only reporting the incidents. In the event of a truly sophisticated intrusion or other circumstance then those incidents might be better seen as what they are, that is an unusual event, not an event that is thought to happen upon every intrusion attempt.
2. Incidents Elsewhere
Another useful technique, often as a by-product of your threat intelligence capability, is to regularly profile and communicate attacks that have resulted in impact to other organizations (most usefully near peers / competitors). This is not simply to analyze that event to ensure that your defenses would have held or to use the threat intelligence to look back to see if you actually did defend it. Additionally, it should be communicated to leadership so that they see the great results of not just your work but they can also reflect on their wisdom in supporting and funding your work. This often has the useful side effect of them asking about how well you did defend, then you can reply that defenses held but, maybe, you had undue pressure on some controls for which you need some investment to enhance them. Indeed, this is a good moment to communicate a plan you prepared earlier for their approval to keep bolstering defenses so you can stay ahead of the threats.
3. Vulnerabilities
As with incidents, the occasional crisis-like response to fix a rapidly emerging vulnerability can appear chaotic to some of your leadership, especially those distant from the realities of the constant need to fix such issues. Being able to regularly show a scorecard of the numbers of vulnerabilities fixed along with the decreasing time it takes to do this, and how routine and mostly undisruptive this has become will put in context the occasional necessary scramble. Additionally, as with incidents it is useful to get some peer information or wider intelligence to see when other organizations have had to excessively react in comparison to you. For example, emerging attacks exploiting a 3 month old vulnerability in some product that has your competitors scrambling but you can report to your leadership that, for your organization, this was taken care of 2+ months ago. This is a compelling success story, especially with a reminder to them that this is also thanks to their support of the enhanced vulnerability management program they were so astute in funding some while ago.
4. Escalation as a Service
One area that is often overlooked is that escalating risk issues can be seen as a success rather than a failure if you view this as a service to business line or IT leadership. In any good risk program, that is one truly looking for risk, you will always have more risks than you can immediately deal with. This accumulating risk inventory needs management. Bringing regular visibility to these risks is important to get various levels of management familiar with what is in the inventory through regular escalation. Remember that some issues need special escalation to executive leadership, and it might be more so for the ones that represent potential high outrage as well as high hazard. Often a risk might be deprioritized at a middle management layer due to the natural pressing conflicts of priorities - but you know that if this risk was to materialize then there would be either high hazard or outrage, and executive leadership would immediately sanction a mitigation program to avoid recurrence. A well framed risk issue escalation can get ahead of this. In my experience most people value this escalation and think of it as “escalation as a service” if it is not over used.
5. Adjacent Benefits
It is also worth showing where you have achieved not just risks reduced, vulnerabilities dealt with or incidents avoided but also what adjacent benefits you have delivered. For example, it might be that your hard won new customer digital channel multi-factor authentication system has not only reduced attacks, fraud or other incidents but has been launched in a way that has been measurably brand-enhancing. Also, because of the increased security, you have been able to support more high risk transactions thereby reducing costs across other channels. This isn’t just to get some kudos for your team’s hard work but it also reminds executive leadership that funding these types of mitigation activities can have such adjacent benefits - which makes it more likely your next ideas will be prioritized, and so the flywheel continues.
6. Productivity Improvements / Getting Others to Tell Your Story
Another, often neglected, success story is showing how security controls have enabled different workflows, or existing controls have improved to be more tightly coupled with teams, especially developer tooling to provide for better and more efficient outcomes. It’s useful, in the spirit of partnership, to work on approaches where those benefits and successes are communicated to leadership by those who most feel the benefits. For example, it’s a better success if the CEO hears from the CIO, not you, how your new security capability integrated into developer tooling has resulted in more security issues being found earlier with less re-work and has also helped produce more reliable software which has contributed to the increased velocity of feature releases.
7. Reference the Outside World - Manage the Uncanny Valley
It is also important, at Board meetings and otherwise, to remind people that you work in a discipline where your successes can often be less visible and that you are attempting to bring more balance to that. This simple statement with reference to other scenarios can make them attuned to not regard the occasional context-free negative with excessive disdain. Y2K was a classic example where nothing much went wrong, not because the risk was over blown but because a lot of people worked hard successfully to make sure it was mostly a non-event. We talked about similar issues associated with the uncanny valley of risk management here.
8. Move Away from just Reporting Activity
We all have a tendency to confuse reporting activity with reporting success. Similarly, reporting lagging metrics is easier than finding the right leading metrics. So, move focus from reporting simply on progress toward showing improvement in processes that lead to better outcomes. Illustrate each with leading indicators to give a deeper understanding to leadership of the maturity of your work. From this, they will better understand that the occasional mishap in a mature process is actually better than the lucky absence of mishaps in a chaotic process - for which that luck can’t possibly last. Annie Duke’s book “Thinking in Bets” (her talk on this topic is here) is a great means of reasoning about this.
9. Have Others Scream for Your Support
Many parts of your program and services may be in high demand. As your program matures and becomes more useful then you could find yourself being highly over-subscribed. This could be supporting your organization’s customers, helping businesses tune their work for adjacent benefits and many other examples. Being oversubscribed is a great opportunity to have others communicate your relative success. For example, in dealing with this oversubscription you could just flat out say no to requests for assistance or you could attempt to do it all with the result that you will not do much of anything well while still burning out your team.
Alternatively, a good approach is to simply ask your requesters to have their executive leadership make or endorse the request. This serves a few purposes, it ensures the requests truly are a priority and that those executive leaders are then intrinsically aware of the value you provide. It also gives you an opportunity to get out your supply and demand charts and show them where you could do more to meet this demand with more funding (supply). It’s a win-win.
Bottom line: all risk programs, but especially security, have the issue that success is often silent and failure is highly visible. You need to communicate success regularly to provide a wider context for inevitable issues. This might seem self-aggrandizing, but remember, marketing your successes rewards your leadership for their astuteness in supporting your work and thus completes the flywheel of support you need to mitigate future risks.