Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

IT security is not a cost, but a business investment

By Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic

Justifying investments in new or additional cyber security initiatives to the board, can be a particular challenge for IT security professionals. Part of the problem is that the C-suite typically views IT security as a cost centre rather than an asset that can add value to business processes. Unfortunately, this means that when the time comes to review budgets, IT security is one of the first departments to be at the sharp end. But times are changing. Data breaches, like those at BA and Marriott International, both of which resulted in multi-million-pound fines, have ushered in a new era where investment into data security has direct repercussions for the boardroom, and the bottom line of the business.

To ensure IT security is given the necessary funding to protect the business, CISOs must work closely with CFOs to set smart business metrics that clearly demonstrate securities strategic value.

The strategic imperative

Joseph Carson
Joseph Carson

Thycotic research shows that CISOs struggle to secure enough funding and support from their boards to achieve their cyber security goals. According to the Cyber Security Team’s Guide to Success, one third (34 percent) say that they don’t get enough funding to implement additional security solutions. This could be down to the fact that a quarter (26 percent) report that their boards are not prioritising IT security as strategically important.

In such cases, it is not surprising that when reviewing budgets, IT security comes to the top of the list. Why would you want to prioritise investment in something if you don’t view it as of strategic importance? However, this would be a mistake. The perception of IT security purely as a cost centre will ultimately lead decision makers to think about how corners could be cut, and costs could be reduced. Following such an approach opens businesses up to security risks that could cost them significantly more in the long run. For instance, if a firm falls foul of the GDPR, it could end up having to pay a fine of up to the greater of four percent of its global turnover or €20 million.

Think people and business first

Clearly, CFOs aren’t cyber security experts, nor should they be expected to understand the minutiae of security initiatives. However, there needs to be better communication between the CFO and CISO in order to clearly demonstrate the business value of IT security and to make the necessary budgetary commitments. To this end CISOs need to be encouraged to take a “people & business first” approach, where they consider how any security initiatives can help their firm and its employees to more effectively accomplish tasks and goals. By thinking about non-security focused objectives, CISOs will automatically start thinking about issues in a business-centric way that will make their work easier for others outside the IT security team to understand and relate to.

This starts with talking about the right metrics. CISOs need to use metrics that clearly demonstrate to the board the business impact that they have made. This means re-thinking quantitative metrics that have little or no context or which are weighed down in jargon-filled parlance. For instance, reporting that so many thousands of vulnerabilities have been patched to show how busy the IT security team has been might seem impressive, but what does that actually mean for the business? CISOs need to paint a picture about how their activity is not only protecting the business, but also helping it to operate more effectively. Metrics that CISOs should use are those that show how security is protecting revenue, saving employees time or improving productivity. This is highlighted in the Thycotic research where 44 percent of respondents said that using data to demonstrate the wider business impact makes the biggest difference in how a security budget is allocated. It was also said to be the most important factor.

However, to be able to do this CISOs need to talk to their CFOs to find out exactly what the board needs in terms of efficiency savings, business goals and so on. They also need to have a conversation about any other areas of the business that could become more efficient with improved cyber defences, as well as finding the evidence for how much money has been saved thanks to IT security initiatives.

“It is time for security teams to spend more time listening to employees and their business goals” – Joseph Carson