To Use Cyber Metrics Well, Show Boards the Money

Each year, organizations invest more and more money to secure their assets. And each year the threats to those assets increase.

According to tech research firm Gartner, total worldwide spending on cybersecurity will reach $172 billion in 2022, up from $137 billion just two years ago. Large enterprises are boosting their security budgets by an average of 12% each year.

At the same time, the number of material breaches grew 25% from 2020 to 2021. The cost of ransomware attacks has increased more than 50 times since 2015, according to Cybersecurity Ventures, which projects that losses will exceed $265 billion by 2031.

Identify and contain adversaries before they can spread across your network.

“The security industry is broken,” says Steve Zalewski, former CISO at Levi Strauss and now an independent cybersecurity adviser with S3 Consulting.

Many factors have contributed to the mismatch between money spent and results delivered, Zalewski explains. Vendors need to do a better job of sharing resources and working together to thwart attackers, he says. And security professionals need to better understand the role they play in helping the business make money.

But a key reason is a basic disconnect between how CISOs and business leaders measure success.

Follow the money

Many cybersecurity professionals are measuring the wrong things, says Zalewski. CISOs will stand before the board and talk about the number of attacks that have been blocked, malicious emails deleted, employees trained to recognize phishing scams, or money invested in upgrading their security information and event management (SIEM) technology. But they don’t talk enough about how successful digital attacks affect the company’s bottom line or how much it will cost the business to limit its risk.

As CISO, my job is not to secure the company. My job is profit protection

A September 2021 survey by Harvard Business Review Analytic Services found that 68% of CISOs present technical metrics to decision-makers. Just 56% measure potential monetary damages.

“As CISO, my job is not to secure the company,” Zalewski says. “My job is profit protection.”

Investing heavily in security solutions cuts into profits, so those investments have to be justified. CISOs need to map cybersecurity risk to business risk—and quantify it in a way business leaders and the board will understand, Zalewski says. That ultimately leads to a conversation about how much risk companies are willing to take on, as well as what they’re willing to spend to reduce their exposure.

[Read also: Measuring what matters: aligning risk measurement with corporate goals and objectives]

The one metric that rules them all? Revenue, says Bob Zukis, founder and CEO of Digital Directors Network, which advises companies on digital and cyber governance, and an adjunct professor at USC’s Marshall School of Business. If you want to get the board’s attention, start talking about money.

“That’s your starting point,” Zukis says. “If you shut down the digital business system, what would happen to the revenue that system is creating? Once you align security controls to revenue, the board will listen to you all day long.”

Map risk to revenue

In June, Gartner released a list of 20 outcome-driven metrics that organizations can use to benchmark the value of their security investments. Organizations can take things they already measure—such as mean time to remediate incidents, patching cadence, and phishing click-throughs—and see how they compare to other companies in their cohort.

Having a common set of benchmarks will enable CISOs to have “adult conversations about business-led cybersecurity investments,” said Paul Proctor, a Gartner VP and distinguished analyst, at an April webinar. From there, security and business leaders can discuss issues like what it would cost to reduce the time needed to patch vulnerabilities from 30 days to 15 days and whether the additional reduction in risk is worth the money. (See chart below.)

“Boards treat security like magic and security professionals like wizards,” said Proctor. “Give the wizard some money, he’ll cast some spells and the organization’s protected. If something goes wrong, they say, ‘I guess we need a new wizard.’ This has led to some very bad investment decisions.”

Getting down to dollars and sense

But gauging the potential impact of security incidents on a company’s revenue is still more art than science. It’s relatively easy to estimate lost revenue if an e-commerce site goes down for an hour. Calculating the financial impact of digital systems that support a brick-and-mortar business like manufacturing or pharma is a harder nut to crack, says Kevin Richards, president of cyber-risk solutions at X-Analytics.

Calculating our financial impact has been the biggest single challenge for the cybersecurity industry for 30 years.

“It’s been the biggest single challenge for the cybersecurity industry for 30 years,” says Richards, whose firm uses data from more than a decade’s worth of cyber insurance claims and real-world breaches to calculate the potential damage from a successful attack. X-Analytics’ cloud-based platform then helps executives make informed decisions about where to invest their security budgets and how that could change over time.

The metrics that matter most, and the amount of importance business leaders assign to those metrics, can vary widely from one organization to the next, says Richards. The important thing is for CISOs to get in the same room with business leaders and have a frank conversation about their risk tolerance.

[Read also: Cyber risk scores should be more than just a number]

“Once you start putting real financial numbers next to these risks, they turn out to be a lot bigger than anyone expected,” he adds. “It’s not something you can do on the back of a napkin.”

It’s also not a conversation companies can afford to put off, especially those that are publicly traded. Recent governance proposals from the SEC call for public companies to pay much greater attention to security issues. Evaluating cyber-risk at the board level will become a must-have, not a nice-to-have.

“Boards will have to have someone in the room who understands the cybersecurity issues,” says Zukis of Digital Directors Network. “CISOs will have to articulate quantification and materiality in a way that translates into dollars and cents. And if they can’t tell that story, they’ll need to find another job.”