By Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic
Justifying investments in new or additional cyber security initiatives to the board, can be a particular challenge for IT security professionals. Part of the problem is that the C-suite typically views IT security as a cost centre rather than an asset that can add value to business processes. Unfortunately, this means that when the time comes to review budgets, IT security is one of the first departments to be at the sharp end. But times are changing. Data breaches, like those at BA and Marriott International, both of which resulted in multi-million-pound fines, have ushered in a new era where investment into data security has direct repercussions for the boardroom, and the bottom line of the business.
To ensure IT security is given the necessary funding to protect the business, CISOs must work closely with CFOs to set smart business metrics that clearly demonstrate securities strategic value.
The strategic imperative
Thycotic research shows that CISOs struggle to secure enough funding and support from their boards to achieve their cyber security goals. According to the Cyber Security Team's Guide to Success, one third (34 percent) say that they don't get enough funding to implement additional security solutions. This could be down to the fact that a quarter (26 percent) report that their boards are not prioritising IT security as strategically important.
In such cases, it is not surprising that when reviewing budgets, IT security comes to the top of the list. Why would you want to prioritise investment in something if you don't view it as of strategic importance? However, this would be a mistake. The perception of IT security purely as a cost centre will ultimately lead decision makers to think about how corners could be cut, and costs could be reduced. Following such an approach opens businesses up to security risks that could cost them significantly more in the long run. For instance, if a firm falls foul of the GDPR, it could end up having to pay a fine of up to the greater of four percent of its global turnover or €20 million.
Think people and business first
Clearly, CFOs aren't cyber security experts, nor should they be expected to understand the minutiae of security initiatives. However, there needs to be better communication between the CFO and CISO in order to clearly demonstrate the business value of IT security and to make the necessary budgetary commitments. To this end CISOs need to be encouraged to take a "people & business first" approach, where they consider how any security initiatives can help their firm and its employees to more effectively accomplish tasks and goals. By thinking about non-security focused objectives, CISOs will automatically start thinking about issues in a business-centric way that will make their work easier for others outside the IT security team to understand and relate to.
This starts with talking about the right metrics. CISOs need to use metrics that clearly demonstrate to the board the business impact that they have made. This means re-thinking quantitative metrics that have little or no context or which are weighed down in jargon-filled parlance. For instance, reporting that so many thousands of vulnerabilities have been patched to show how busy the IT security team has been might seem impressive, but what does that actually mean for the business? CISOs need to paint a picture about how their activity is not only protecting the business, but also helping it to operate more effectively. Metrics that CISOs should use are those that show how security is protecting revenue, saving employees time or improving productivity. This is highlighted in the Thycotic research where 44 percent of respondents said that using data to demonstrate the wider business impact makes the biggest difference in how a security budget is allocated. It was also said to be the most important factor.
However, to be able to do this CISOs need to talk to their CFOs to find out exactly what the board needs in terms of efficiency savings, business goals and so on. They also need to have a conversation about any other areas of the business that could become more efficient with improved cyber defences, as well as finding the evidence for how much money has been saved thanks to IT security initiatives.
"It is time for security teams to spend more time listening to employees and their business goals" – Joseph Carson