Cyber posture: the value proposition of security
April 2019 | FEATURE | BOARDROOM INTELLIGENCE
Financier Worldwide Magazine
April 2019 Issue
Every organisation is potentially a target for a cyber attack. Large, small or somewhere in between, the day-to-day threat is real and pervasive. And with the threat of attack unlikely to lessen substantially anytime soon, an organisation with robust cyber security solutions in place is generally safer and more valuable, whatever its sphere of operations.
Effective cyber security solutions, as well as being a core value proposition for organisations, are also a necessity for management teams, board members and investors. Indeed, without stakeholder confidence in cyber security solutions, organisations are limited in their ability to innovate their business operations and generate growth.
“The value of cyber security to a company is in preventing business and financial disaster,” says Bob Weiss, a cyber security analyst at WyzCo Group Inc. “Information security departments have a difficult time showing the value of improved information security to C-suite officers, but the C-suite is only too good at seeing the cost, and shooting down improved security proposals.
“The value can be most easily demonstrated only after the horse has left the barn, which unfortunately is too late,” he continues. “Improvements in this area will only occur after laws are passed that hold management personally liable for willful negligence in cyber security decision making. We see advances in cyber security occurring in those sectors where legal and regulatory compliance are enforced, and where penalties can be and are imposed.”
In the view of Scott King, senior director of security advisory services at Rapid7, most organisations have adopted a culture where managing cyber security risk is a core component of their overall enterprise risk management (ERM) function, as well as an important factor in overall growth. “Cyber intrusions have shown most executives that a breach will result in significant financial cost, reputational damage, societal impacts, as well as personal liability for senior leaders,” he says.
Once an organisation has defined its cyber security posture, its metrics programmes must accurately report the value of its controls to all relevant stakeholders, especially the board.
“The value of cyber security controls can be best documented in metrics such as mean time to recovery (MTTR) from a cyber security intrusion or incident,” suggests Mr Weiss. “If an information security organisation has the tools in place to capture this information, documentation of attacks successfully repelled might also be another way to prove value. But this is a critical point, showing the monetary value or return on investment (ROI) of cyber security programmes can be difficult when we are successful.”
All in all, an organisation that measures the value of its cyber security in metrics is no different to a business that continuously monitors its own performance – both are doing so in order to adapt to changing conditions, withstand increasing financial pressures and capitalise on opportunities for growth.
“However, measuring cyber security through metrics alone is not sufficient, as metrics will not capture all of the complexity and technical implications involved in risk-based decision making,” says Mr King. “Cyber metrics have different audiences, and each has a different level of detail depending on how the metric supports the goals of a department or division of a company.
“Cyber metrics are not appropriate for most board meetings, but may be used if a board has a committee with cyber and IT in its charter and technology-focused board members,” he continues. “Senior business leaders benefit from cyber risk management metrics aligned to business goals that clearly show the likelihood of impacts and costs. Cyber security professionals typically focus on metrics that show how well the technology is working. In short, using metrics is helpful provided the metrics are aligned to the needs of the intended audience and support the broader business objective of risk management.”
Strengthening cyber security posture is the name of the game for organisations today as they seek to stay ahead of an evolving cyber threat landscape and boost their value proposition.
“The best value for the dollar in cyber security may be in the realm of cyber security awareness training for employees,” suggests Mr Weiss. “Vigilance is an important skill in cyber security and works best when everyone is looking for suspicious occurrences. A cyber security professional should also actively engage in reading and learning new things about the threat landscape.”
According to Mr King, in order for an organisation’s cyber security posture and business growth and value to be as closely aligned as possible, the cyber fraternity needs to invest in ERM and develop the skills to present risk in terms business leaders can understand. “Threats are constantly evolving and shifting in both focus and impact,” he says, “creating a challenge for cyber security professionals to truly stay ahead of the game.”
© Financier Worldwide