While defending against cyberattacks has become an increasingly important part of doing business, cybersecurity is still often seen primarily as a technology issue. But a recent blog post from Gartner[1] is calling for change. In fact, according to Gartner, cybersecurity is more properly defined as a business value issue that reaches well beyond the information security realm and directly impacts operational outcomes.
Cybersecurity protects internet-connected systems from threats such as data breaches, malware, and ransomware. The business value of strong cybersecurity is clear: preventing loss due to theft of money or resources and increasing revenue as you build customer trust and share safe and secure access to information or processes.
As new cybersecurity reporting proposals from the U.S. Securities and Exchange Commission are put into place, many boards will be required to disclose exactly what steps they are taking to prevent cyberattacks. The challenge is that most in the boardroom may not fully understand the actual business value their cybersecurity solutions deliver. Although not all companies will be expected to meet these requirements from the SEC, building a deeper understanding of cybersecurity and the value it drives for the business will benefit any company in today’s connected world.
Measuring cybersecurity value
But how can a company effectively measure its cybersecurity program and whether the actions taken add overall value? This is the question explored by Paul Proctor, VP and Distinguished Analyst at Gartner. Six years ago, he left his role as the Chief of Research for Risk and Security to join the finance team. “Now why would a security guy join the finance team? BECAUSE IT ALL COMES BACK TO MONEY AND VALUE!” he says, with emphasis.
Proctor observes that “Executive decision makers do not understand how cybersecurity supports their business outcomes and cybersecurity professionals are challenged to understand the business outcomes they support.” This is where customer value management can make all the difference. He explains that executives often are tempted to use metrics that do not reflect business value. For example, measuring the number of emails blocked each month does not measure value because the metric does not indicate why a number is high or low. A low number may reflect a month with fewer attacks while a higher number may indicate a company has been more effective in detecting cyberattacks.
Instead, Proctor says, “A value metric is one that we can invest in directly to change value delivery. In cybersecurity, that means an investment to improve the metric is an investment to improve a protection level.” He explains that cybersecurity metrics should:
Measuring the time it takes to patch vulnerabilities is one example of a critical value delivery metric. The reason? “We directly control it and an investment in changing it has demonstrable and measurable benefits to levels of protection. When you measure this, you have operationalized cybersecurity value delivery. Your metrics are a direct reflection of protection levels delivered. When they go up or down, so does value…and so does protection.”
At DecisionLink, we know that a value-centric culture elevates your brand, your reputation, and your financial outcomes. Value-first companies don’t just improve efficiencies in one department, they see drastic improvements across the whole organization. Cybersecurity is one more area where value management matters. In today’s world, cybersecurity is an investment in the business, not simply overhead. For organizations selling cybersecurity solutions, if you’re not leading with value, you have completely missed the power of what you provide. And for companies buying cybersecurity solutions, if your provider isn’t sharing the value their solution has realized for your business, they may not have the sophistication you are looking for.
[1] https://blogs.gartner.com/paul-proctor/2022/04/18/value-is-missing-in-executive-communication-on-cybersecurity/