Executive decision makers find it difficult to understand how cybersecurity supports their business goals, and cybersecurity professionals struggle to comprehend the business outcomes they are working towards. This disconnect is affecting investments in cybersecurity and the trust of the important stakeholders.
Chief information officers (CIOs) often lack a defined executive-level framework for managing risk appetite and determining which cybersecurity investments to prioritize. Protection-level agreements (PLAs) help bridge this gap by evaluating the effectiveness of cybersecurity measures and their associated costs. As a result, CIOs must utilize PLAs to effectively communicate the business benefits of cybersecurity investments and articulate the executive’s risk appetite for cybersecurity.
A PLA is an agreement between executives and CIOs/CISOs to achieve a desired level of protection for a planned cybersecurity investment. A PLA is a concrete assertion of risk appetite. It is typically constructed from an outcome driven metric (ODM) that supports the identification of a desired/target protection level and a projected cost to achieve the protection level.
PLAs are the foundation for security investment, and CIOs must utilize the following step-by-step approach to implement PLAs and overcome challenges.
Step 1: Identify Control Investments
Identify priority control investments and outcome-driven metrics that should be subject to PLAs. Gartner recommends that an organization should initially create three to five ODMs to engage with the board and develop their approach to executive engagement and governance with PLAs. Over time, they should aim to have a total of 20 to 30 ODMs across the categories of identify, protect, detect, respond, and recover. The number should be kept at a manageable level.
Step 2: Establish Candidate PLAs
Create a list of reasonable and appropriate “candidate PLAs” for achievable levels of protection and projected cost. The cost will always be determined as the necessary investment to reach the desired level of protection and is a crucial aspect in all negotiations.
A good starting point is to consider high, medium and low choices for each target protection level by ODM. Choices should be guided by the consistent, adequate, reasonable and effective (CARE) standard, which suggests that protection levels should be delivered consistently, and they should be adequate, reasonable and effective.
Step 3: Examine and Prepare Relevant Factors
In addition to the CIO, responsible non-IT executives such as the CFO, chief risk officer and chief compliance officer should examine and prepare relevant factors to support executive decision-making for choices such as Defensibility to key stakeholders, which includes questions such as will our customers, shareholders, regulators and partners agree that these protection levels are appropriate? Other factors include:
- Risk assessments: How do we prioritize business needs for protection levels?
- Regulatory implications: Do regulations require specific protection levels?
- Expert recommendations: What do internal and external subject matter experts recommend?
Each organization should determine the relevant factors that impact their decisions.
Step 4: Enable Executive Decision Making
A set of desired protection levels and funding of projected costs is then determined by senior non-IT executives. To reach agreement, each PLA should be addressed individually. A suggested approach is as follows:
- All levels of executive management should understand the PLA and the underlying control investment. ODMs should be explained in layman’s terms. Costs for each proposed level should also be shared.
- The factors (Step 3) influencing the ultimate choice of PLA are presented. These are technology and business implications.
- Options should be discussed and debated. For agreement and/or next steps, it is possible that additional information may need to be gathered.
Step 5: Publishing and Setting Expectations
Final PLAs are shared with all impacted and responsible executives and the board of directors or equivalent.
While different organizations have the freedom to determine their own level of visibility and agreement, the following points can assist in setting expectations during incidents and enforcement actions where PLAs may come under scrutiny:
- In terms of cybersecurity, PLAs can serve as a useful tool for managing investments within the security realm. However, in cases of scrutiny, the accountability for all decisions falls on the cybersecurity team and there may be limited benefits for executives in terms of defensibility.
- For the CIO, PLAs aid in planning technology delivery and implementing controls that are heavy on operational expenditure, such as patching.
- Executives can benefit from PLAs by gaining a better understanding of cybersecurity investment and protection levels. It also gives them the opportunity to address any business friction related to cybersecurity management. Furthermore, it allows the CEO to defend the organization after experiencing a significant breach.
- Board of directors: PLAs help the board perform effective fiduciary oversight of cybersecurity.
Step 6: Govern PLAs Continuously
PLAs must be governed continuously. After PLAs are agreed on, then the priority is to measure and report variation where your organization is not achieving the PLA. When most or all PLAs are achieved within available budgets, the security program should be considered consistent, adequate, reasonable, and effective.
By Richard Addiscott, Senior Director Analyst at Gartner