This post addresses one of The Three Unanswered Board Questions That Drive Cybersecurity Investment.
In 2022, 88% of boards say that cybersecurity is a business issue, not a technical one. This conversation is about resetting executive engagement, putting a business context around security, and literally how we invest in security.
You should not assume that your board members have the right information to make business decisions about cybersecurity investment just because they are nodding and smiling as you speak to the business importance of cybersecurity .
New SEC Cybersecurity Rules Require New Business Acumen
The Wall Street Journal recently addressed new proposals from the U.S. Securities and Exchange Commission, CISOs and others with cyber responsibilities must learn how to translate cybersecurity data into clear risk information that nontechnical board directors can quickly understand.
“It will change how we develop the next generation of CISOs,” Shaun Marion, CISO at McDonald’s Corp. said, relying less on technical knowledge and more on business-risk experience.
Developing Business Acumen Requires a Change in Perspective
Executive decision makers do not understand how cybersecurity supports their business outcomes and cybersecurity professionals are challenged to understand the business outcomes they support.
I spent 5 years as the Chief of Research for Risk and Security at Gartner, but 6 years ago I left that role to join the finance team in the CIO group. Now why would a security guy join the finance team? BECAUSE IT ALL COMES BACK TO MONEY AND VALUE!
Joining the finance team I learned and covered the business value of all technology investment, measuring digital transformation, and board performance reporting. I spoke to CFOs, COOs, and chief digital officers (CDOs) in the context of business models, business outcomes, and most importantly, business value!
My journey should be your journey. Do not underestimate the power or the effort required to better understand the business outcomes you support.
Translating Cybersecurity into Business Value
In cybersecurity terms, value translates to a level of protection. When we can communicate levels of protection to our executives, we can help them make better-informed decisions about cybersecurity investment.
A value metric is one that we can invest in directly to change value delivery. In cybersecurity, that means an investment to improve the metric is an investment to improve a protection level.
Number of Emails Blocked: A Terrible Metric
One of the more popular metrics I see in board presentations is number of emails blocked. What investment would you make to improve the metric “number of emails blocked?” And how would that translate into a change in protection levels?
Number of emails blocked is not a reflection of …well… anything. We don’t control it. Going up or down could be good or bad depending on why it is going up or down.
- If we’re attacked less, then it will go down and say nothing about the effectiveness our controls or our investment.
- If we are attacked more, but we got better at detecting, it will go up despite better performance of our controls. NOT A VALUE METRIC!
Patching Cadence: A Value-delivery Metric
On the other hand, time that it takes you to patch vulnerabilities exploited in the wild is a critical value delivery metric. It has a direct line of sight to the value of patching which is to reduce the amount of time that vulnerabilities are available for exploitation. We directly control it and an investment in changing it has demonstrable and measurable benefits to levels of protection.
When you measure this, you have operationalized cybersecurity value delivery. Your metrics are a direct reflection of protection levels delivered. When they go up or down, so does value… and so does protection.
We offer several examples of outcome-driven metrics in What Metrics Should I Report to My Board?
And we are benchmarking 20 of them.
Putting Cybersecurity Value in a Business Context
When you measure cybersecurity value, you can align metrics to the technology stacks supporting business outcomes, and that creates a reflection of business outcome protection levels.
Sound complicated? You’re already doing this today. When you measure phishing click-through rates by employee populations supporting specific operating units in your organization, you have just wrapped a business context around phishing click-through rates.
Now you know it’s the people in finance who keep clicking on the cat videos that are locking up your systems.
You can do this for all of your security control investments, measure value, and get better executive engagement. This will lead to better investments and a safer world.
How Much Should I Spend On My Cybersecurity Program?
When you operationalize cybersecurity value delivery through outcome-driven metrics, you can determine how much you want to spend to achieve your desired level of protection. The right answer is not an amount of money, it’s a governance process that achieves a balance between setting desired targets of protection and a willingness to pay for them.
Put another way, how much security do you want and how much are you willing to pay for it? It’s time to start having an adult conversation about business-led investment in cybersecurity.
Webinar and Benchmark Release
April 20, 2022, 11:00 AM ET: Webinar Make Cybersecurity a Priority Business Investment addresses this topic and more. This webinar is open to everyone and will be available for replay.
June 10, 2022, 9:00 AM ET: At the Friday morning keynote of our Security and Risk Management Summit in National Harbor, MD I will be releasing the benchmark definitions for our first generation cybersecurity value delivery benchmark and early data gathered from a small number of organizations.
We will also release the survey to all conference participants to fill out their own data and get the earliest version of our official benchmark.
Follow me on Twitter