It’s a common refrain among senior corporate cybersecurity executives: “We have to learn to align with the business.” Unfortunately, it seems like we spend most of our time trying to get the company to “cybersecurity align” and get frustrated when they don’t or can’t. Part of the reason is that often we don’t want (or can’t) talk like the company. The reality is that cybersecurity is a cost center in organizations. Not only that, it’s a cost center where it can be extremely difficult to recognize value, which is abundant. (See my previous article on cybersecurity measures at the board level.)
Two steps to align cybersecurity with the business
At its core, business alignment is a two-step process. The first step is to understand their language. The lingua franca of all businesses is finance, and that can often be our biggest challenge. Most industries have their own measures of profitability – think of sales per square foot in retail or cost of treatment per patient in healthcare. When it comes to cybersecurity, we must act like any other department or line of business in the organization. This brings us to the second part.
The second step is to develop methods and metrics to determine the benefit-cost analysis and return on investment in terms of value (not profit). This can start with calculating costs using cost accounting methods such as activity-based costing and valuing investments using break-even analysis. It can be as simple as determining the amount spent and qualitatively determining whether the investment is “worth it” – something you already do implicitly but probably not explicitly.
At this point, you have also reached the lower limits of the risk you are reducing. If it’s “worth” spending $1 million on a solution, you expect to reduce risk by at least that amount. People often get nervous when I suggest that these lower limits also apply to the collective amount of cybersecurity spending in an organization. (Those really interested should research the concept of “willingness to pay” in economics textbooks.) Once you have the basic financial information, things get really exciting. You can start looking at financial ratios such as cost per check, cost per session, loss to value ratio, etc.
I once heard a CISO on stage at a conference say he would spend “whatever it takes” to be safe. I’m here to tell you that’s ridiculous and a cop-out. Listen, I get the feeling in an emotional sense, but that type of thinking can be extremely destructive and contrary to any opportunity for business alignment. Understanding the financial impact of cybersecurity can be difficult. (Hey, HR probably has it even worse.)
Copyright © 2022 IDG Communications, Inc.
Comments are closed.