In a world increasingly powered by a digital economy and technology systems, there’s no denying that Cybersecurity can both protect and create business value. However, as most senior Cybersecurity professionals already know, it is very common for Cybersecurity to be viewed as a cost center and as something that impedes the business. Chief Information Security Officers (CISO) are increasingly becoming peers among the C-Suite and realizing the need to communicate in business terms and help Cybersecurity be viewed as a business function.
As Business Information Security Officer (BISO) Alyssa Miller points out in this excellent LinkedIn post on the topic, far too often CISO’s and Security leaders try to communicate the business value they provide through hypothetical breach avoidance and quantification exercises. The problem, as Alyssa points out, is this is largely speculative and reeks of the traditional Fear, Uncertainty and Doubt (FUD) type approach to cybersecurity. This sort of approach has negative overtones associated with it and often leads to cybersecurity being sidestepped.
The truth is that depending on the nature of the business you’re in, cybersecurity is often more about business enablement and protecting business value, than creating it. Obviously depending on the industry or business, for some, cybersecurity itself is the business. This applies in situations such as cybersecurity tool vendors or Managed Service Providers (MSP)’s. But for most, cybersecurity is more focused on protecting business value and enabling agility. This often comes down to things such as customer trust and loyalty. Having a significant security data breach can harm customer trust, loyalty, and market share depending on the severity. This is a clear example of a situation where cybersecurity can protect business value.
Shifting a bit to the revenue side of the house, depending on the industry your organization is operating in, regulations and compliance come into play. For example, it is an industry standard for Software-as-a-Service (SaaS) vendors to be asked for artifacts such as ISO, SOC2 and FedRAMP reports. If your organization isn’t implementing fundamental security practices and processes it will be difficult to obtain these certifications. Failing to obtain these certifications could mean the difference between landing a new customer/consumer or being told no thanks, come back later with those certifications in hand.
There are also other ways in which cybersecurity acts as a business enabler as well. We’ve recently discussed the power of resiliency and the need for sound incident response and business continuity practices. In a world of on-demand always available services, often generating revenue through a web presence or digitally enabled supporting systems, system disruptions can directly impact revenue generation. Ensuring your organization can be resilient and anticipate, withstand, recover and adapt from cybersecurity events is critical. A great place to start on this front is with NIST’s 800-160 Vol. “Developing Cyber-Resilient Systems”. In a similar vein, Ransomware has wreaked absolute havoc on the industry in the last several years and is set to cost tens of billions of dollars all on its own.
Specific scenarios aside, an overarching theme among today’s cybersecurity leaders is that their communication must keep the business in perspective, tie to key business objectives and discuss risks in the context of the business. In the recently published book “The CISO Evolution: Business Knowledge For Cybersecurity Executives” by Rock Lambros and Matthew K. Sharp, the authors say the modern CISO must be able to inspire trust, properly characterize the indispensable role of cybersecurity to the organization’s strategic plans and acquire the necessary funding to execute the cybersecurity program. This is a tall order and requires gaining trust from executive leadership, understanding the organization’s risk appetite and clearing up misunderstandings of the role of cyber within the broader organizational context.
When approached correctly, cybersecurity leaders can gain the desired buy-in and be seen as a business enabler rather than an impediment. This is a process that will take time, and a shift in not just organizational but industry-wide culture when it comes to how cybersecurity is viewed. That said, it is a challenge the cybersecurity leaders of the future stand poised to tackle.