Treating Cybersecurity as a Business Investment

Cost and value drive every business outcome, except cybersecurity – until now. CISOs increasingly need to communicate the value of security measures and defend their recommended investments. Measuring cybersecurity value delivery by establishing consistent, outcome-driven metrics accrues many benefits and helps enhance decision-making and board governance.

Recently, CIOs and CISOs in the Denver Community came together to discuss the metrics and communication needed to guide executives and board members to apt and defensible cybersecurity investments and execution. Paul Furtado, VP Analyst at Gartner, kicked off the session, and Denver Community members Dustin Morris, Director, Cybersecurity & Governance at Hensel Phelps Construction; John Shellenberger, VP & CIO at Johns Manville; and Lena Taylor, VP & CISO at Crocs led the discussion groups.
 

Making the Case for Security Purchases

Paul Furtado of Gartner shared a framework with executives for how to articulate risk and rationalize security purchases to the business. Paul, who held CIO and CISO roles before joining Gartner, shared that executives have to be able to speak in a language that the business understands and “talk about what the different stakeholders care about.” 

Paul noted that creating clarity with a security program involves communicating with three sets of requirements in mind:

• Executives speak in the language of business outcomes and value delivery.
• CIOs are concerned with the supporting technology.
• CISOs are focused on cybersecurity.

He explained that executives are looking for assurance and trying to understand how well the organization performs at things like discovering anomalies in their environment, detecting and responding quickly to threats, and resuming normal operations after a cybersecurity incident.

Paul shared that IT and security leaders might be tempted to communicate with FUD (fear, uncertainty and doubt), but should share what’s reasonably expected to happen. He said, “We can demonstrate a standard of due care, meaning that someone in your similar situation would make the same decision.”

This standard of due care philosophy allows CIOs and CISOs to make the right decisions and investments and provides clarity to stakeholders. A standard of due care also gives IT and security leaders defensibility of their programs.

Paul closed by sharing an example of how to deliver an outcome-driven metric. He also noted that CIOs and CISOs can remind their Boards and C-suite peers that “making small investments upfront prevents an ‘open wallet’ situation during an incident.” He added, “No one wants to be in a spot where they are thinking, ‘I’ll spend anything to save my business.’”
 

Key Takeaways from the Discussion

• Integrating cybersecurity with business objectives.

IT and security executives emphasized the importance of aligning cybersecurity goals with organizational risk management. This involves working within enterprise risk groups and ensuring that cybersecurity is integrated into the broader risk management framework. One executive commented that it is important for security leaders to be “engaged early on in what the organization is trying to accomplish and how cyber risk fits into it.”

The use of security committees and regular reporting to leadership teams, including quarterly updates to the Board, helps mitigate business friction and keeps executives informed about cybersecurity risks and regulatory changes. One CIO said to “not lose sight of the basics” in reporting.

The ongoing education of executive leaders about the evolving threat landscape and the significance of cybersecurity investments is crucial. This includes making the narrative relatable and impactful, focusing on the risk profile of the business, rather than technical details.

• Communicating risk and engaging with the Board.

CIOs and CISOs agreed that keeping the Board engaged is vital, especially in light of incidents like the CrowdStrike breach, which has heightened awareness of supply chain risks, third-party risk management and change management controls.

Several executives mentioned that bringing in external experts or special guests to speak to the Board can help convey security messages more effectively. One CISO noted that “we need to be able to tell a story that resonates with them, not explain a security framework.”

Another executive commented that boards are generally quite engaged right now and are “interested in understanding the risk profile of the business.”

• Maximizing the value of cybersecurity investments.

IT and security leaders discussed the importance of demonstrating the value of cybersecurity investments, such as through the use of data and real-world examples to make compelling points to stakeholders.

Utilizing resources like cyber insurance benefits, including onsite ransomware exercises and breach coaches, can enhance the organization's security posture and ensure that you are maximizing the value of insurance premiums. One CIO shared that cyber insurance policies may offer benefits that not everybody takes advantage of, and theirs offered an onsite ransomware exercise for executives.

The focus should be on getting the biggest bang for the buck by leveraging other groups within the organization to communicate and extend the security message, ensuring that cybersecurity is seen as a critical enabler of business objectives.

CIOs and CISOs agreed that “a lot of us have learned from the misfortune of others,” but cyber attacks can bring the issue to the forefront for C-suite executives and the Board. It can lead to expansion or increased investment “when you see what can happen,” as one security leader said.

For more conversations with technology and security peers on cybersecurity investments and communicating risk, apply to join a local Evanta Community. Or, if you are already a member of an Evanta CIO or CISO community, sign in to MyEvanta to find and register for your upcoming community programs.