Use metrics to give your risk story a good ending

Richard Rushing (CISO at Motorola Mobility) came to #BHMEA22 and reminded us to be mindful about how much we rely on metrics – and more importantly, how we communicate metrics (and their value) to people who don’t care about them as much as we do. 

He cited a Gartner study which revealed only 12% of metrics delivered to organisations are actually used in decision-making processes. Because the people making decisions often don’t understand the metrics well enough to care about them. They’re not useful. They’re not updated regularly enough. They are often, in effect, a waste of time. 

But the people delivering those metrics know they can be useful. They wouldn’t be a waste of time if everyone knew what they meant and how to use them. So how can cybersecurity teams make that happen? How can you deliver metrics about an organisation’s security in a way that means those metrics will actually influence decisions? 

Tell a story – because humans are wired to care about stories

Most people are not wired to be captivated by cybersecurity metrics. But human beings are hardwired to care about stories. Studies including this one (published in the peer-reviewed neuroscience journal, Cerebrum) have found that compelling narratives trigger the release of hormones including oxytocin – which has the power “to affect our attitudes, beliefs, and behaviours,” and can motivate us to engage in cooperative action.

Story researcher Kendall Haven identified a general story structure that is particularly effective at engaging attention and increasing understanding. And cybersecurity teams can use this to shape their communications strategies – providing information to organisations in a way they’ll really connect with. 

The structure goes something like this:

• The story has a character with a goal. And that goal has a clear motive that the audience can understand. In cybersecurity, your character might be your organisation itself.
• But the character hasn’t achieved the goal yet. Help is needed, and an understanding of the obstacles and consequences of failure are necessary too.
• The character struggles to meet the goal. This leads to a more collaborative, team approach – allies get together, support, and work to help the character overcome obstacles and achieve the goal.
• The obstacles are overcome. The character achieves the goal and enters into a new normal – but with a continuous understanding that a new incident could be the catalyst for a new goal at any time. 

What’s the link between metrics and storytelling? 

Rushing quoted Ted Schlein, who said: 

“There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.” 

And, Rushing added, “in this day and age that’s really true.” 

But ensuring that more companies do know when they’ve been breached requires a more coherent approach to security – and it starts with understanding risk. 

“Risk has to start at the top,” Rushing said. Executives need to determine what kind of risks they need to fix, and where those risks might be. And they also need to identify their own risk tolerance: what kind of risks are accepted, and which risks have such serious implications that they are not accepted within the organisation? 

“You need to have a tolerance, and it needs to be standardised. If it’s not standardised, you’re making ad-hoc decisions,” because you don’t have a clear framework for positioning different risks within your security strategy. 

“Anything that’s outside the risk tolerance is unexpected. You already defined what your risk tolerance is — if it’s outside this, it shouldn’t be there.” 

And with that determination of risk tolerance, you then have to recognise that it takes talented people to secure an organisation – and not all of that talent is in your cybersecurity team. This means that you have to communicate risk effectively across your organisation – so that everyone can get on board and contribute to the overall security posture. 

So you need to make a story: “Risk is about how to figure out the plot of your story.” 

Story is the exciting, engaging way to communicate risk. If you say ‘we need to replace some servers on the other side of the world because they’re not patched,’ no one cares. If you say ‘bad guys are going to get in through those servers and shut us down,’ they start to care.

Every organisation has a different story. So use your understanding of risk to work out how to tell it. The high level risks that everyone in an organisation can connect to are: 

• Brand damage
• Supply chain impact
• Sales disruption
• Business process disruption

And your risk acceptance curve, Rushing said, is your story arc: all risks fall somewhere on the curve, whether they’re not that serious (so you accept them) or very serious (so you don’t tolerate them). Your strategies for addressing risks are the way you bring resolution into your story – and you can weave your metrics into those strategies so that everyone in the organisation can understand how metrics will help them achieve the story outcome they want.

Use metrics to give the story a happy ending. Because if you do that, your organisation will understand how to apply those metrics to decision-making and operations.