Cybersecurity as an organizational department is not treated like its peers. Most every department is measured by the value it brings to the organization – maximize the return on investments made whether it be people, capital, or other resource. Today, cybersecurity is measured by its ability to protect the organization. But how do you measure the value of protection? We continue to see ballooning cybersecurity budgets, and yet the connection between budget and value delivered is murky at best for most every organization. The reality is that protection has value, and like its peers requires investment. This value just needs to be better measured and understood.
This challenge is evident both within organizations and when considering cybersecurity as an industry. As threats continue to increase and the costs of incidents mount, the situation is unsustainable. The connection between security investments and the value they deliver needs to be much tighter in order to improve effectiveness. It needs to drive not just strategic but operational decisions as well. To get there, cybersecurity needs a reset, one where it is measured and managed by the value delivered.
There are three catalysts that have served as the driver of decisions within cybersecurity, as it has evolved from a ragtag technologist or two to a key department represented in the C-suite:
- Fear: initial decisions to invest in cybersecurity were driven by fear (some still are..). Cybersecurity as a practice was born from the tech nerds that built broader information technology. As their creations began to deliver value, the eccentric among them realized the security implications of the value they were delivering. First among them were those working in the financial sector. They were literally dealing in money, so the ability to quantify the risks was clear and present. During this period, the adversaries were those just like them – the eccentric bunch that loved to hack at code. Defining what to do required trial and error. Fear of loss drove innovation.
- Frameworks: one key innovation that initially came from fear was the framework – a series of activities and ideas that were codified into structures that others could execute. NIST, ISO, MITRE, and others were born to add credibility and consistency to these ideas. Many organizations to this day live and breathe by their adherence to frameworks, as that is the most tangible structure for them to measure and manage security decisions.
However, frameworks are foundational but limiting. While they correctly define best practice, they offer little in the way of evaluating effectiveness of a cybersecurity program. Controls are binary, whereas the value of the control is more complex.
- Financials: the emerging catalyst for both strategic and operational security decisions is the financials of the security program – the value delivered to the organization given the investments made. Security teams are now protecting what has become the heartbeat of a digital first organization, increasing the spotlight on both its effectiveness and efficiency. Progressive CISOs leading the way have learned through their initiative (or organizational pressure) that the key to their success is not just protecting the organization, but doing so in a way that both protects and enables value. Most every strategic objective for the organization relies heavily on the security team’s ability to protect and enable execution.
A security program rooted in its financials enables key decisions to be understood alongside its departmental peers. Resources such as headcount and dollars can be allocated respective not of fear or framework, but given the value the cybersecurity provides to the organization.
One of the main obstacles hindering the Financials catalyst from taking hold is the multitude of definitions for risk. To the CFO, risk is straightforward: it's the potential for financial loss. However, in cybersecurity, risk has acquired various meanings, such as representing vulnerability or threat. This shift has obscured its role as a financial measure – i.e., how the rest of the organization understands risk. Consequently, discussions about risk are challenging, and using risk in divergent ways further alienates non-technical colleagues. To combat this confusion, some security leaders have leaned on proxy metrics to explain “coverage” or “activity”, but remain untethered to the value they create.
The problem is further exacerbated by the industry’s confusing attempts at defining value. The Cyber Risk Quantification segment of vendors attempts to quantify risk, but the options require a heavy services investment and are difficult to leverage operationally. Newer product categories like CSPM, DSPN, and now AISPM are also using the language of risk, but each of those domains are treated in isolation whereas risk is a whole-of-organization issue.
Organizations are broad, and the risk complex. You cannot manage cyber risk without first starting with a comprehensive awareness of your existing risk. And you cannot operationalize this awareness unless your methods enable dissemination of this awareness to the team, from the CISO to the analyst and everyone in between and around the security organization.
For cybersecurity to mature to a material department alongside its information technology and other key organization brethren, it must not only understand its value, but operate from it. A new way forward is needed, where the value of security is not only quantified, but understood and embedded into the security team in such a way that all operational decisions key from it. Like information technology has matured, and like so many other key organizational departments rely, value must drive decisions, from investments to priorities, to effectiveness. Only then has cybersecurity evolved to what it must be for organizations to be secure.