It is a common refrain among senior folks in enterprise cybersecurity: “We have to learn to align with the business.” Unfortunately, it seems like we spend most of our time trying to get the business to “align with cybersecurity” and become frustrated when they don’t or can’t. Part of the reason is that we often don’t want to (or can’t) speak like the business. The reality is that cybersecurity is a cost center in organizations. Not only that, it is a cost center where it can be extremely difficult to recognize the value, of which there is plenty. (See my previous article on board-level cybersecurity metrics.)
Two steps to align cybersecurity with the business
At a basic level, aligning with the business is a two-step process. Step one is to understand their language. The lingua franca of all enterprises is finance, and this can often pose our biggest challenge. Most industries have their own measures of cost effectiveness—think sales per square foot in retail or treatment cost per patient in healthcare. In cybersecurity, we need to act like any other department or line of business in the organization. That brings us to part two.
The second step is to develop methods and metrics to determine benefit-cost analysis and return on investment in a value (not profit) way. This can start by calculating costs using cost accounting methods like activity-based costing and evaluating investments using breakeven analysis. It can be as simple as determining the amount being spent and qualitatively determining whether the investment “is worth it”—something you do implicitly already but probably not explicitly.
At that point, you have also reached the lower bounds of the risk you are reducing. If it is “worth it” to spend $1 million on a solution, then you are expecting to reduce risk by at least that amount. People often get nervous when I suggest that these lower bounds also apply to the collective amount of cybersecurity spending in an organization. (Those really interested should look up the concept of “willingness-to-pay” in economics handbooks.) Once you have the basic financial information, things get really exciting. You can start looking at financial ratios like cost-per-control, cost-per-session, loss-to-value ratio and more.
I once heard a CISO on stage at a conference say he would spend “whatever it takes” to be secure. I’m here to tell you that is ridiculous and a cop-out. Look, I get the sentiment in an emotional sense, but this type of thinking can be extremely destructive and contrary to any business alignment opportunities out there. Understanding financial impact in cybersecurity can be challenging. (Hey, human resources probably has it even worse.)