How to optimise the business value of cybersecurity

Most executives think of security in terms of threats and money spent but don’t consider the business value of a security control or investment. While spend doesn’t equal protection, you will need to make investments to adjust to the organisation’s willingness to take on extra risk. How do you build cybersecurity capabilities for better business outcomes, beyond simply spending more?

Gartner forecasts Australian end-user spending on security and risk management will grow 11.5% in 2024 to reach $7.74 billion, driven by the continuous adoption of cloud, hybrid workforces and generative AI, as well as the evolving regulatory environment. At the same time, a Gartner survey found that 64% of boards expect to increase their risk appetite in 2023–2024.

Cybersecurity must be treated like a business decision that delivers value, so it’s important to choose a level of protection within your willingness to pay. A material factor influencing protection levels will be defensibility, with key stakeholders including shareholders, customers, partners and regulators.

An approach that embeds an incentive to build a better cybersecurity capability is needed — one that delivers better outcomes, not just spending more. The purpose of any cybersecurity program is to manage a sustainable set of controls that balances the need to protect with the need to run the business or achieve the mission.

Establishing a governance process is also important to decide how much security is required and how much executives are willing to spend. To do that, assess the outcomes of selected cybersecurity investment options on various stakeholders versus the cost. Then determine how they drive key protection-level outcomes for your organisation.

Identify stakeholder priorities and concerns

The first step in building a value proposition is to identify the priorities and concerns of stakeholders related to desired protection levels. This helps to understand the perspective and context in which outcomes from cybersecurity initiatives must be framed.

Initiatives and value can then be mapped to the criteria for success of the stakeholder and their mission-critical strategic priorities. How will your cybersecurity initiatives help them to be successful? How will they define success? This engages them in choosing their desired level of protection and their willingness to pay for it.

Measure protection levels

Most organisations measure and report on cybersecurity performance and progress primarily through operational technology performance metrics, which are poor indicators of protection levels.

Instead, identify outcome-driven metrics for cybersecurity initiatives. These metrics have a direct line of sight to the value proposition of a security control, reflecting how well an organisation is protected, not how IT is protected. These metrics enable value by protecting brand and business or mission outcomes, and support direct investment to change protection levels.

Risk appetite is established through protection-level agreements, which are expressions of security value and cost that support executive decision-making. These agreements are a contract between executives and CISOs to deliver a target protection level for a planned cybersecurity investment.

Align protection levels with business outcomes

A connection between protection levels and the supported business outcomes is a critical step in gaining executive agreement over how much security they want and how much they’re willing to spend.

Protection levels can then be mapped to systems supporting stakeholder mission-critical priorities and concerns. Focus on business systems, business impact, enterprise risk and financial risk.

Measure the return from security outcomes

A critical part of the process is realising the return from cybersecurity outcomes to the organisation. This is measured as achieving desired levels of protection aligned with business outcomes and the continuous re-evaluation of stakeholder requirements.

This alignment can identify the business impact of cybersecurity incidents, regulatory findings, cost and defensibility to key stakeholders. Investments can be influenced by comparing protection levels and cost, versus financial and business impacts (cyber insurance rates, regulatory fines, loss of business and revenue decline). They can also be influenced by assessing non-financial leading indicators of financial impact, such as on a customer, employee, and ecosystem brand and reputation due to loss of trust.

Outcome-driven metrics continuously reflect the levels of protections for different business outcomes, creating numerous opportunities for change. Any change would require a shift in priorities and investments that would further impact stakeholders you’ve been engaging with. This helps to build a cybersecurity capability that delivers better business outcomes, not just spending more money.

Educate executives and the board in a meaningful way

All of these factors can be used to present the critical value story to other executives and the board in business terms that have meaning for them. Make sure you continuously engage with them about cybersecurity using the language and metrics they understand to make informed decisions for the business.

Paul Proctor is a VP and distinguished analyst, and former chief of research for risk and security at Gartner. He leads CIO research for technology risk, cybersecurity and digital business measurement. The business value of cybersecurity will be discussed at the Gartner Security & Risk Management Summit in Sydney, 18–19 March 2024.

Image: iStock.com/ipopba