Blog post

Use Value to Govern Cybersecurity as a Business Investment

By Paul Proctor | April 05, 2022 | 1 Comment

Cybersecurity Investment is Broken

As I discussed in my previous post, cybersecurity is now the top spend item on the technology investment list. In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. Unfortunately, boards have no idea how to govern cyber as a business issue and executives have no idea how to guide cyber investment as a business issue.

Bottom line, no one can explain the business value of security, so we can’t have an adult conversation about business-led investment in cybersecurity. And the world is in a very bad place because of that. We continue to treat security like magic and cybersecurity people like wizards who cast spells to protect our organizations.

Cost and value are the levers that drive every business. They also drive missions in government and national defense. Every organization invests resources, time, money and people to achieve SOMETHING. Chief Financial Officers (CFO) are the stewards of this investment. CFOs need to see value for money.

Value in security should be measured as levels of protection delivered, not the implementation of tools or the creation of capabilities. That means, no one cares that you spent $2M on an SEIM, they care that it’s delivering the value for which it was intended.

If we can measure how the value of cybersecurity increases when we increase our investment, we can answer key questions like “Should we spend more on cybersecurity?”

If we can demonstrate the impact on security when we decrease investment, we can answer other key questions like: “Is it OK to cut costs in security?” Every seasoned CISO has experienced the reality of an across the board budget cut and the struggle to express the impact of such cuts on cybersecurity readiness.

How to Measure Cybersecurity Value

Gartner’s construct for outcome-driven metrics (ODMs) is ideal to measure cybersecurity value. ODMs measure a direct line-of-sight to protection levels (value) expressed as an operational outcome. For example, “number of days to patch critical systems” is an ODM for threat and vulnerability management. It is both an operational outcome in which we can directly invest, and it has a direct line of sight to the value proposition of patching which is to reduce the amount of time that vulnerabilities are available for exploitation.

Gartner has more than 100 outcome-driven metric examples across more than a dozen control classes that all share the same characteristics for measuring value delivery. They represent operational outcomes with a direct line of sight to the protection levels (value) created by the controls they measure.

Establishing a New Standard of Due Care in Cybersecurity

If you understand the value of current cybersecurity investments, we can establish a standard of due care that’s defensible to our key stakeholders such as shareholders, regulators, customers, and partners. A standard of due care is a powerful concept to determine whether a person or an organization is liable after a cybersecurity incident.

It means organizations will not be assumed to be at fault just because they got hacked. Having such a standard will incentivize appropriate investments and execution leading to improved protection levels globally.

Measuring and reporting cybersecurity value delivery and establishing a standard of due care accrues many benefits and shifts the landscape in cybersecurity investment and board governance.

Align Cybersecurity to Business Outcomes

Although many in the Gartner client base would claim they already align their security programs to their business, I’m speaking of a much higher bar of execution than is present today. One where cybersecurity investment (cost) and value delivery (levels of protection) are aligned to specific operating units, business functions, product lines, etc.

When you can direct cybersecurity investment in a business context, you can then direct investment and value (levels of protection) to different parts of the business. For example, in a power generation company, a nuclear power plant needs higher security than a coal fired plant.

In many highly regulated industries, to establish defensibility to the key stakeholders, regulated parts of the business need higher protection (value) than less regulated parts of the business.

Aligning to business outcomes also closes the gap in executive communication. You can demystify cybersecurity by putting it in a business context to better enable board engagement and governance.

All of this supports a primary directive in cybersecurity which is to balance the needs to protect with the needs to run the business. We can now choose cybersecurity investment based on specific business requirements.

Create Defensibility with Your Key Stakeholders

While the concept of stakeholder defensibility may feel fuzzy to many of you, let me make this extremely real. Your stakeholders for cybersecurity are your regulators, shareholders, customers, and partners.

Through good stakeholder defensibility you can better manage your regulators with a proactive, defensible risk posture that will, in turn, reduce value-killing MRAs. A Management Requires Attention (MRA) notice is a finding issued by financial service regulators that effectively means “fix this, or we shut you down.” Every industry regulator has their equivalent to MRAs.

MRAs are value-killers because they have board level attention and usually create an all hands on deck approach to fixing it. That means the organization stops focusing on value delivery and pours investment into fixing the issue.

Regulators aren’t focused on business value delivery, so they don’t really care what impact their findings have on your business. Getting out ahead of your regulators with a defensible risk posture reduces these occurrences. It also accommodates more flexibility and business opportunities when your regulators trust that you’re managing risk effectively.

Shareholders need confidence that your cybersecurity protection level (value) is sufficient to warrant their belief that your organization is a good investment. Customers also need to have confidence to do business with you. A defensible risk posture means shareholders and customers have visibility into your protection levels. This makes the assertions on your website that your plan to ensure customer security and privacy extends to more than empty promises.

Partners also need to have confidence to work with you. Third party risk assessments and governance have been rising for 10 years and you need to get serious about demonstrating that you have the right levels of protection. The bottom line here is to protect your supply chain by ensuring your partners are sufficiently protected, and to ensure that the supply chains of organizations that rely on you are also protected.

Protection Level Agreements Establish Due Care

Establishing care is accomplished through Protection Level Agreements. PLAs are business decisions to invest in measurable levels of protection which drive cost and can be compared to achieved levels of execution. For example, choosing 30-day patching at a projected cost of $1M/year is a PLA. PLAs are operational targets for key controls that represent desired levels of protection (value). These are concrete assertions of risk appetite on a measurable scale.

There are a number of moving parts to the governance and decision making that PLAs enable which will be covered in future posts. For the purpose of establishing care, these are the important elements:

  • 7-day patching is more expensive, higher value, and higher protection than …
    30-day patching which is less expensive, lower value, and lower protection.
  • The benefits of 7-day patching vs 30-day patching are observable with another ODM that measures the 12-month rolling average of security incidents related to unpatched vulnerabilities. Are you experiencing a reasonable number of incidents based on your chosen level of protection and investment?

Are your PLAs and execution defensible?

  • Peer comparisons can be made through benchmarks. Are you at least as good as your peers?
  • Regulators can set required levels of protection. Are your choices and ability to execute within your regulators demands?
  • Internal audit can determine if you are hitting your desired levels of protection. Are you executing consistently?

Once care is established and within tolerances, then defensibility can be established. Using our example of a 30-day patching PLA, the exploitation of a vulnerability that is 35 days old is outside the PLA and not defensible. Its recognition that you failed to execute on a desired level of protection.

HOWEVER, the exploitation of a vulnerability that is 25 days old is defensible because it is the result of a business decision to invest in 30-day patching and to accept all hacks that happen within 30 days of patch availability.

Absorb Inevitable Attacks and Incidents Defensibly

“There is no such thing as perfect protection” is not a platitude. Most board members will nod and smile when you say this, but that doesn’t mean they understand it on visceral level that changes the way they approach cybersecurity investment. Today, most are still going to blame the security and IT people when something goes wrong.

incidents and attacks happen every single day. When you suffer a material incident and your executives get involved, PLAs create a new mechanism for defensibility.

Defensibility is based on all your decisions and investments that PRECEDE a material incident. Those who made good, defensible decisions should get a pass. Those who are arguably “asleep at the wheel” should get commensurate consequences.

In 2019, Capital One was (and is) a recognized leader in native cloud security which created a measure of defensibility even though they suffered a material cybersecurity attack. Arguably, mistakes were made, and execution struggled around the time of the incident, but it still required a sophisticated hacker with arguably inside knowledge to compromise their systems. Their result was a $190M settlement, an $80M fine, and their CISO was replaced.

In 2017, Equifax suffered a material cybersecurity attack, but according to congressional testimony, they did not have a defensible position. The report concluded “Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.” Another material conclusion was “Equifax’s CEO did not prioritize cybersecurity.” Their result was a $575M-$700M settlement while the CEO, CIO, and CISO all left the company in the wake of the incident.

Although suffering similarly damaging attacks, Equifax suffered twice the costs and the loss of 3 executives, including their CEO, compared to Capital One. I envision a world where executives can make defensible cybersecurity investment decisions and are judged by their defensibility. This is possible with transparent, measurable cybersecurity value delivery metrics outlined in PLAs.

With PLAs your stakeholders have a transparent view to judge your defensibility and to act accordingly.

  • Regulators levy fines or not
  • Customers leave you or stay
  • Shareholders sell your stock or increase their investment
  • Partners choose to work with others or stay with you

…And all of them influence if the CEO, the CIO, and the CISO stay or go.

Create a Safer World

This changes everything about the handling and treatment of cybersecurity investment, executive expectations, and stakeholder defensibility. It combines the defensibility of your original PLA decisions with the defensibility of your execution.

Treating cybersecurity in this manner will lead to better cybersecurity investment decisions, better execution, and a safer world.

Gartner Support

  • Gartner Cybersecurity Value Benchmark. Gartner is benchmarking the first generation of cybersecurity value delivery metrics to compare your program value to your peers.
  • Measure the real cost of Cybersecurity. Most CISOs can defend the purchase of a $1M patching tool, but they don’t know what it costs to deliver 30-day patching.
  • Establish target levels of protection across your business. Measure security by business unit or product line to balance the needs protection with running the business.
  • Transform your cybersecurity metrics. Use our extensive catalog of outcome-driven metrics to reset your cyber metrics at an operational and board level.
  • Engage executives and business leaders on cybersecurity. Engage executives on a new level of business-led investment in security.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

1 Comment

  • Paul, I wholeheartedly agree with your manifesto! It validates what we are seeing in the market.

    Companies who focus on the desired business outcome rather than a specific risk register or compliance requirement provides a very powerful opportunity to communicate risk in business terms, making risk tangible and actionable for business leaders and boards of directors.

    That’s what has driven our new approach built around critical business processes and priorities through the use of cyber assurance programs. We think this is a more strategic approach to risk management that provides the continuous, real-time insight and reporting needed to have data-driven business conversations.

    Thank you for writing such an insightful blog.
    Michael Maggio
    CEO, Reciprocity