Security executive Ricardo González doesn’t see IT security as a cost center; instead, he describes it as “a strategic investment in the reduction of corporate risk, and a positive contribution to the realization of business value.”
That’s something the whole C-suite can get behind. Yet it’s a perspective that has only starting gain ground as CISOs and their security team mature into their roles as fully vested executive leaders.
Indeed, González, head of operational risk and control as well as business resilience manager for Zurich Spain, part of the international insurance company, says more CISOs are sharing his perspective – and looking to quantify their value.
It’s an important and worthwhile ambition, but many CISOs struggle with how to articulate in financial terms what, and how much, security delivers to the organization. Yet experts say it should still be done.
“Demonstrating business value can be much easier for sales, production, procurement, even for IT. But for functions such as compliance, risk management or information security demonstrating value is far more challenging, therefore it is more important to make it,” González says. “Professionals in those areas usually fall for the temptation of thinking they are simply ‘necessary’ somehow, part of the cost of doing business. This is a mistake. You should help achieve business goals, topline and bottom-line, as effectively as possible, with the least waste possible. And if nobody else is measuring your contribution, then you should be the one to worry about how to do it best.”
This is a new territory for CISOs, who have traditionally focused on measuring tactical improvements such as the number of patches implemented or denial-of-service attacks blocked. It’s also particularly challenging, as calculating ROIs on security investments has been notoriously difficult to calculate. After all, how does one put a price tag on the absence of something bad doesn’t happen?
There are ways to do that, say leading security executives, researchers and cybersecurity advisors. They agree that CISOs now need to adopt metrics and key performance indicators (KPIs) that better illustrate the business value that the security function delivers to the organization as a whole.
Although there is no one KPI that will work for every CISO, experts say there are several key steps CISOs should follow to develop metrics that will demonstrate security’s business value in their own particular enterprise.
Measure against risk
To start, every CISO must understand his or her own organization from a business perspective – its revenue streams, its assets, its strategy, etc. – and how those all fit into its tolerance for risk, says Anne Marie Zettlemoyer, vice president of information security engineering and a divisional security officer at Mastercard.
“Security isn’t there just for itself; it’s all about understanding the risk appetitive of the business and then building fences around it,” says Zettlemoyer, who is also a security expert with ISACA, a professional association focused on IT governance.
CISOs who understand what’s most important to the business can then build a security program aligned to the business’s needs, with less likelihood of over-hardening security in less critical areas while underinvesting in the most critical ones. “CISOs have to build defenses and capabilities that are in line with risk,” Zettlemoyer adds.
Many organizations aren’t yet that mature.
The 2018-2019 EY Global Information Security Survey polled some 1,400 C-suite leaders, including information security and IT executives, and found that 55% of organizations “don’t make the protection of the organization an integral part of their strategy and execution plans.” The survey also found that 92% of organizations have cybersecurity functions that don’t fully meet their needs.
However, experts say CISOs who have an understanding of the business priorities, strategies and risk tolerance can better articulate how particular security investments mesh with those business objectives and risk thresholds. Those CISOs can then frame security’s value proposition against how well it aligns with the organization’s risk tolerance.
“Indicators and metrics will only make sense if they can help everyone understand how far or how close [security is getting] relative to those thresholds,” González explains.
Quantify security’s role in business success
CISOs can’t end their work at marrying security investments to their organization’s risk tolerance.
They also need to take their understanding of the organization’s strategic plans, plot where and how the security function enables business objectives, and then identify and quantify how security’s role contributes to the overall success of those initiatives.
“The value of security here is in how you facilitate those business outcomes, how you help take a business product from Point A to Point B,” Olyaei says, adding that CISOs who have strong relationships with their business-side peers are better positioned to ask, learn and understand the financials of any given initiative as well as tease out security’s enablement of success.
Consider, for example, how security works with business and IT teams to enable the digital products that companies are now launching into the market. As Zettlemoyer points out: “Most CISOs know what it costs if something goes to go down or the liabilities in terms of contract issues or in terms of [regulatory] fines.”
Those figures can help highlight security’s role in enabling those digital products, just as the business and IT functions can share how their work delivered ROI.
So, identify the contribution that security makes to the success of specific projects and initiatives, González says, and then keep measuring it.
“For example, it could be argued that assessment of the IT security position – and subsequent improvement and maintenance – was key to the success of a specific business initiative (say, a merger), and the contribution of IT security can be seen as a 2%. Going forward, 2% of potential business benefits could be attributable to IT security,” González says.
Use metrics that matter
Of course, security isn’t only about enablement; its raison d’être is still to protect and defend the enterprise.
Yet, there is no 100% guarantee. The security community years ago recognized that it’s impossible to build an impenetrable fortress. In fact, most CISOs have adopted the idea that some incidents are inevitable. It’s a when not if mentality.
C-suite executives and directors might not be getting that message, though.
“Most CISOs still promise boards 100%, [saying] ‘If you give me X dollars, I’ll fix this.’ You’re promising perfection even if you tell them it’s not possible,” Olyaei explains.
As a result, security has to demonstrate how well it does with more nuanced metrics, ones that don’t measure simply (and starkly) secure vs. insecure but rather those that indicate where the organization falls in between those extremes and whether it is improving over time on those measures.
There are a number of indicators that CISOs can use to develop KPIs that are relevant to show the value of security investments.
Know your valuables
How thoroughly has the security team has cataloged all the assets of the organization, identified the risk tolerance for each of those assets and implemented the corresponding level of defenses?
“Every company should know their valuables – what is their core technology and whatever it is they want to protect – so they can put a wall around the most valuable assets. There are some companies [that understand] if they lose a bunch of emails in a breach, that’s fine; but if they lose Social Security numbers, then that’s a different issue,” says Omri Admon, a corporate innovation specialist and cybersecurity expert with business networking company SOSA NYC.
What is the response time when an attack happens? How fast did the security team deliver on key elements of that response, such as time to close exit points to reduce the amount of data moving out of the enterprise? Admon notes that CISOs can calculate in real dollars the value of a speedy response that results in a lower business impact.
Zettlemoyer says she takes that approach, using research data and publicly available figures to calculate how her security investments can produce financial wins for her company.
“As we talk about the issue of resilience, you can show value through tests, simulations and exercises that [demonstrate] how well prepared your organization is to respond to something and how fast it can recover,” she says.
Benchmark against other organizations
Zettlemoyer says she can both explain how her security team would respond in an event, the expected level of resiliency and the amount of money saved by being prepared by pointing to the consequences and costs other companies faced for not being adequately prepared. She has used, for example, the fact that the Copenhagen-based shipping giant A.P. Moller-Maersk had an estimated $200 to $300 million in costs as a result of the 2017 NotPetya attack.
Others likewise recommend breach data to benchmark how they’re doing against others of similar size or in their industries.
“That’s hard data that’s available,” says Rolf von Roessing, board vice-chair of ISACA, CEO at Forfa Consulting AG partner and Forfa Holding AG chairman. He says CISOs can compare the success, and therefore the value, of their investments against the number and cost of breaches as well as the amount of any associated fines or penalties experienced by comparable organizations.
Additionally, Bill Serowka, senior consultant at Swingtide, a management and IT consulting firm, says CISOs can use data, such as Ponemon’s annual Cost of a Data Breach report, to quantify the dollar value of a robust security function. The 2019 report calculates the average cost of a data breach at $3.92 million, a 12% increase from five years ago.
Such figures help business-line executives, CEOs and directors to fully appreciate the value that the security investments generate, Serowka says. So it’s worthwhile to have them at the ready.
“CISOs need to quantify risk and need to associate a dollar sign with that risk, and they need to report it accordingly. Because business is about risk vs. reward, and the people at this [executive] level want to understand whether they want to take the risks, whether the risks offset the rewards, or not.”