The two I'll point to in this post are from Carnegie Mellon University's CERT program and PricewaterhouseCoopers' cybersecurity consulting practice. What they have in common is that they are both several years old. This is not VC or DARPA-funded cutting edge stuff. It's human behavior stuff, and as such, it's not on an upgrade path anything like iOS, Android, or "Next Generation" firewalls. But neither are these concepts rapidly deployable, as you'd be hard put to find them put into practice widely at many utilities in 2013.
Nevertheless, for those wanting to achieve and communicate improvement in ours and other critical infrastructure sectors, here are some excerpts I've pulled out for you to consume more quickly.
Starting with definitions, this come via the CERT work, citing NIST SP800-100 - Information Security Handbook: A Guide for Managers:
Security Governance is the process by with senior leaders direct and control an organization to establish and sustain a culture of security in the organization's conduct, including behaviors, capabilities and actions. It includes establishing and maintaining a framework and supporting management structure and processes to provide assurance that security strategies:
- Are aligned with and support business objectives
- Adhere to policies, standards, and internal controls
All of this with the objective of managing cyber risk to the tolerances desired by that organization.
- Provide assignment of authority and responsibility
Then from PwC, instructing CISOs to "Define business objectives"
Collectively, the organization’s business objectives form the single most important driver of the security strategy. They are the basis of the arguments you will be using to communicate the business case for change and will help you prioritize initiatives based on business need. When determining your security strategy planning process, take care that it is explicitly mapped to the business objectives you have identiﬁed and carefully deﬁned in terms of the beneﬁts that will be used to measure project success.More from PwC, coaching CISOs, this one's attributed to the then-CISO of Radianz, Lloyed Hession, now at Bridgewater Associates: "If you can’t talk ROI, the boardroom isn’t listening"
There are two types of metrics used by the CISO: those based on security criteria and those based on business goals. Those based on security criteria are a useful intradepartmental tool for evaluating performance, but they do not translate to the boardroom. For example, knowing the number of attacks detected or thwarted may be useful in evaluating your incident response and detection processes, but they tell the executive nothing about the dollar return on his security investment.
Core message I get from these sources: align, align, align ... security policy with business objectives, and always translate 1's and 0's bits to 1's and 0's dollars/euros/pesos, etc. There's much more if you want to sink your teeth into this.