Obtaining appropriate funding for a cybersecurity program could be a daunting task. As inflation soars, obtaining funding gets more difficult. A major funding challenge has been the inability of security leaders to demonstrate the value cybersecurity brings to the business. A recent Gartner publication pointed out that the absence of value is due to the lack of “building a better cybersecurity metric” to articulate business value. Value is essential to obtaining much needed funding to protect the business against ransomware and other threats.
Establishing metrics to measure operational performance, achievement of set goals and return on investment is core to an organization’s existence. When an organization fails to accurately implement business metrics, its chance of remaining in business is undermined. Similarly, there must be metrics in place to measure the return on security investment. There is no doubt that measuring a security investment is cumbersome, especially as focus has been on IT-related metrics such as patching cadence or number of system misconfigurations.
To truly identify and articulate the value of cybersecurity, it is important to understand that cybersecurity is a business investment. Therefore, the questions the cybersecurity leader should be asking are: “How do I demonstrate the business value of the security program?”, “How does the security program sustain the business?”, “What is the impact of prevented cyber threats on the business?”, “How does the business continuity process promote business resilience?”, etc. The focus of the questions emphasizes how the security program is tied to business sustainability and security.
Cybersecurity Value Metric Indicators
Measuring return on security investment can be achieved by implementing four major metric indicators. They include risk reduction, reassurance, resilience, and revenue.
Risk Reduction: The principal goal of cybersecurity is to identify risks, vulnerabilities and threats that could cause consequential business disruption. While it is typical for the security team to present a technical report of cyber threats and incidents as risk indicators, the true source of identifying business risks is the business. Business operators know what is critical to keeping the organization operative, hence, they should be the main driver of enterprise risk conversations, particularly cyber threats, and leverage controls to address such risks. However, in many cases, business operators are often myopic about the introduction of risk and potential business impact for utilizing information systems and other technologies in advancing business objectives. A business-savvy security leader who can quantify the impact of cyber threats on the business becomes an integral partner in enabling the organization to achieve its mission and vision.
One of the major lessons of the COVID-19 pandemic is that IT-related business disruption is not limited to cyber incidents alone, such as a ransomware attack or an outage. Working from home has introduced new business risks that organizations must grapple with. These new risks have placed a demand on the security team to adapt its program and evolve to provide appropriate protection. For instance, identity and access management (IAM) has become a core business solution that must be in place to keep remote work safe and efficient. Therefore, using the IAM as a risk reduction metric for justifying an investment in the solution, the security leader should show how such a solution serves a business purpose of keeping operations going as well as protecting and complying with regulatory requirements.
To mature risk reduction as a metric, it is fundamental to directly correlate a security investment to the risk it seeks to reduce. It is equally crucial to align the security program with financial, legal, contractual, compliance, reputational and operational risks. There is abundant evidence to support the cost of cyber incidents to drive the point home. Showing the cost of risks prevented from happening is an important way of demonstrating the business value of the security program.
Reassurance: Research has shown that the fear of compliance failure is one of the reasons executive leaders invest in cybersecurity. 69% of security and IT leaders said regulatory compliance was a major factor influencing cybersecurity budget, compared with 49% who stated that best practices were a major factor to consider when making cybersecurity investment. Maintaining regulatory and contractual compliance is particularly important, especially as noncompliance has been associated with excessive cost of remediating successful cyber incidents; nonetheless, security investment should move beyond compliance to providing reassurance.
Reassurance is the effective and efficient utilization of cybersecurity controls to demonstrate how they keep the business safe, address concerns and questions from the executive team, and align the program with regulatory and contractual requirements. Providing reassurance is a continuous process and is made possible by an adaptive cybersecurity program that leverages threat intelligence, risk analysis and deployment of resources to proactively mitigate business risks.
A principal part of my responsibility is to analyze data from various sources, including infrastructure, trust relationships, threat modeling, and evaluate the effectiveness of extant controls to proactively stop threats and prevent risks before they impact the business. I provide the executive team with monthly reports that highlight how the program is protecting the business. Working in a highly regulated industry, the security program is subjected to a rigorous audit and assessment process that comprises an audit of security controls by a dedicated security auditor, compliance internal audit team and a team of external auditors and assessors that include three of the Big Four consulting firms. A SOC 2 audit, NIST CSF maturity assessment or HITRUST validated assessment is treated as a statement of control effectiveness to reassure executive leaders, investors, regulators, and clients that the organization has effective controls in place to protect the business.
Using reassurance as an investment metric provides security leaders with an arsenal of tangible value to demonstrate the crucial role cybersecurity plays. To effectively apply reassurance as a metric, security investment must move beyond assurance, which is the controls baseline to keep IT systems secure, to intentionally scaling controls to meet business needs and requirements. As such, investment must correspond with specific operational, legal, financial, contractual, regulatory, and reputational objectives.
Resilience: One of the myths organizations wish to be a reality is that the more they spend, the more secure they are. There is no doubt that more spending could position an organization to be more effective at preventing cyber threats, it is misleading to assume that a huge budget is a guarantee of a risk-free enterprise. This is one of the reasons why the board frowns at more budget when there is no stopping successful threats from happening. The truth is the most secure organization does not exist. A driving factor responsible for increased spending in the financial sector is to make banks more resilient against evolving sophisticated and destructive cyber-attacks.
Investment in keeping the business resilient is a no brainer. Dependence on technology and digitalization has placed the survival of organizations squarely within the IT - security space. In a hybrid work environment, collaboration platforms are no longer nice-to-have but must-have to keep performance and productivity going. Protecting such platforms to prevent major business disruption is the prerogative of the security team. Maintaining a business continuity or disaster recovery program is no longer something to consider in the future. Thanks to the pandemic and geopolitical instability with their attendant supply chain disruption, businesses must have controls in place to keep operations sustainable and resilient.
A major responsibility of security leaders is to keep business operations resilient in the event of a catastrophic occurrence. This commitment requires substantial investment. It is certainly not practicable to invest resources to replicate a business parallel. A resilient investment approach will focus on the prioritization of mission critical assets, identification of material threats and risks, utilization of preventative, detective, and corrective controls as well as optimization of recovery and contingency capabilities. One way to leverage resilience as a metric is to create business-specific scenarios that identify potential outages or quantify downtimes due to IT issues or vendor services and technology. A 2017 AWS outage cost companies $150 million, while the 2021 outage wreaked havoc across the US. Though Facebook lost about $65 million during its 2021 outage, millions of businesses also lost revenue.
Revenue: It has been said several times that cybersecurity does not generate revenue. Although cybersecurity does not make money as the core business operations do, it ensures the business can continue to operate in a secure environment. For the sake of argument, finance or human resources does not make money; however, they facilitate the operationality of the business through budgetary allocation and resource optimization. No business can survive without some element of finance or human resources management. Likewise, cybersecurity is very integral to successful business operations.
Cybersecurity has shifted from a supplementary role of creating a supporting environment to ensuring revenue preservation and generation. To better appreciate how cybersecurity ensures business operations remain profitable, a review of the cost of data breaches and other cyber incidents shows that the cost of cyber-attacks is exorbitant. Preventing such attacks from occurring translates to money that can be used to keep operations funded. According to the Data Breach Report, the cost of data breach was $4.35 million in 2022, the highest in the 17-year history of the research and 12.7% increase from 2020. McAfee put the global cost of cybercrime at around $945 billion, while the cost is expected to increase to $10.5 trillion by 2025.
There is no argument that cyber incidents will continue to happen. In the first 6 months of 2022, there were high profile incidents involving global corporations including Okta, Microsoft, TMobile, NVIDIA, and others. A recent Uber data breach reinforced the persistence of cyber incidents. According to the 2022 Verizon Data Breach Report, 62% of system intrusion incidents were due to third party relationships, while ransomware increased 13% over the previous year. Remote work was responsible for higher cost in breaches compared with breaches that work from home was not a factor.
Modern business environment has made cyber incidents inevitable. From the risk posed by remote work to third-party exposure and supply chain disruption, it is imperative that organizations implement appropriate cybersecurity controls to mitigate against business loss. This key role of protecting the business is the revenue preservation value security investment brings to the business.
Besides ensuring that businesses can continue to be profitable, cybersecurity also functions as a revenue generation vehicle for the business. Organizations are more unwilling to do business with vendors who cannot guarantee they have effective cybersecurity controls in place. With 84% of IT and security professionals believing that supply chain attacks will be the biggest cyber threats, organizations that experience cyber incidents suffer brand reputation damage and devaluation of trade name. Conversely, organizations with appropriate cybersecurity controls are more likely to attract new business opportunities. 18% of CEOs identified cybersecurity as critical to customer trust. Thus, cybersecurity bec00omes a marketing leverage to get new businesses, which translates to revenue generation.
Using revenue as a metric requires security leaders to demonstrate how cybersecurity actively drives business opportunities. To measure how cybersecurity preserves revenue, security leaders should provide the statistics of prevented attacks and their impact on the business. One way to use cybersecurity as a revenue generator is to transform cybersecurity into a trust program by showing how implemented controls secure clients’ businesses and assure peace of mind. An added value is the presentation of third-party affirmation of the effectiveness of implemented cybersecurity controls.
Cybersecurity brings enormous value to the business by protecting it against cyber threats that could cause material damage. The crucial job of building the right value metric helps to make a case for appropriate cybersecurity budgetary allocation. Moreover, articulating its value will further demonstrate how the business benefits through risk reduction, reassurance, resilience, and revenue generation.