It’s a common occurrence among senior people in enterprise cybersecurity: “We need to learn to align with our business.” Unfortunately, it seems we spend most of our time trying to “line up our business with cyber security” and get frustrated when they don’t or can’t. Part of the reason is that we often don’t (or can’t) talk like business. The reality is that cybersecurity companies have a spending center. Not only this, with the help of fire you can do welding. (See my previous article on board-level cybersecurity metrics.)
Two steps to align cyber security with business
At a basic level, aligning with business is a two-step process. The first step is to understand their language. The language of all enterprises is money, and this can often be our biggest challenge. Most industries have their own criteria for cost-effectiveness – say retailer sales per square foot or cost per patient in healthcare. In cyber security, we have to work like any other department or line of business in our organization. That part two brings us.
The second step is to analyze the benefit-cost and create a method and metrics to determine the return on investment in a value (not profit) way. It can start using cost calculation methods such as activity-based cost and investment evaluation using breakaway analysis. It can be as simple as determining the amount spent and qualitatively determining the “value” of the investment কিছু something you are already doing implicitly but probably not explicitly.
At the same time, you have reached the lower limit of the risk you are reducing. If spending $ 1 million on a solution is “worth it” then you’re hoping to minimize the risk. People often panic when I suggest that these lower limits apply to the combined amount of cyber security costs in an organization. (Those who are really interested should look for the concept of “willingness to pay” in their economics handbooks.) Once you have the basic financial information, things get really exciting. You can start looking at financial ratios like cost-per-control, cost-per-session, loss-to-value ratio and much more.
I once heard a CISO on stage at a conference say he would spend “whatever it takes” to be safe. I’m here to tell you that it’s ridiculous and a police-out. See, I get the feeling in the emotional sense, but this kind of thinking can be extremely destructive and the opposite of any business alignment opportunity out there. Understanding the financial impact on cyber security can be challenging. (Hey, human resources are probably worse.)
Copyright © 2022 IDG Communications, Inc.