How do you measure the value of your investment in cybersecurity? How is that value reflected in the way cybersecurity is built into both your management structure and corporate culture?
I pose these critical questions based on a couple of recent experiences and observations.
- I was talking to a chief financial offer and he was describing his investment in cybersecurity as a “sunk cost.” His position was that the organization had paid a lot of money for cybersecurity and “didn’t have anything to show for it.”
- The site KrebsonSecurity recently did an analysis of the top 100 global companies and found that only five percent listed a chief information security officer or chief security officer among the company’s executive leadership team.
While these are two seemingly disparate events, I would argue that they are closely intertwined. If an organization doesn’t see cybersecurity as a strategic investment, it won’t treat the people responsible for cybersecurity as part of the strategic team. Conversely, if cybersecurity leaders are not part of the executive team, the organization won’t have the knowledge and commitment to treat cybersecurity as a strategic investment.
It is a vicious cycle that is well past its expired use date. If your organization is still treating cybersecurity as a sunk cost, it is time to change your attitude. And, if you haven’t welcomed your cybersecurity leaders into the executive suite, it is time to roll out the proverbial red carpet for them.
Not a Sunk Cost
A sunk cost is a cost that has already been incurred and cannot be recovered. If your organization is viewing cybersecurity through this lens, you run the risk of measuring the value of your investment based on how much you have spent, rather than on what benefits that investment is delivering to the organization.
The biggest risk in viewing cybersecurity as a sunk cost is inaction. In other words, thinking that you are safe because you haven’t yet suffered a major breach. Remember this maxim: Everyone is vulnerable.
And don’t fall into the trap of thinking that your cybersecurity spend is a mere insurance policy protecting the organization against disaster. In today’s data-driven, global, mobile, always-connected economy, cybersecurity is an enabling technology that allows you do to business. It is the foundation for everything you do.
If the organization develops a new application that takes advantage of big data analytics to enhance the customer experience, that application only brings value if customers feel safe in using it. If the organization is using public cloud resources to accelerate development cycles and reduce IT costs, it only works if there are no incremental security risks.
The reality is cybersecurity is not just a cost of doing business; it is an essential element for business innovation and digital transformation. Think about any company that has leveraged technology to disrupt an established industry: Uber, Airbnb and Netflix, to name three of the obvious examples. Without a constant, ongoing and strategic commitment to cybersecurity, their business models simply don’t work.
Leveraging Your Investment
Another risk of treating cybersecurity as a sunk cost is the potential for missed opportunities and wasted resources. Many companies buy certain security technologies to fulfill a compliance or audit requirement. The sunk cost mentality is, “we’ve solved this compliance problem, let’s move on.”
The risk in taking this approach is that you may not be operationalizing the full value of the investment you’ve made. Compliance does not equal security and if you think of your investments strictly through the lens of compliance, you may only be using 10% or 15% of the capabilities of your solutions. This is an unnecessary waste.
Instead, you can take an outcome-based approach to your cybersecurity investments. For example, say the company wants to give customers enhanced mobile capabilities through advanced analytics. If that is the goal, how does the cybersecurity investment help the company achieve that goal? What are the necessary investments in people, processes and technologies that will move the business forward in this direction?
With an outcome-based approach, you can work more closely with your technology partners to achieve your cybersecurity goals, and thus your business goals. If cybersecurity is a sunk cost, the partner has less value to offer. But, if cybersecurity is an ongoing investment in your future, then the partner can be invaluable in helping you to maximize the features and functions of your solutions. The partner has experience across a wide range of industries and has a vested stake in making sure that your cybersecurity investments deliver maximum business value.
Building A Culture of Cybersecurity
Finally, if your cybersecurity leaders are still not viewed as core to the executive management team, it is time to re-evaluate what you are doing and elevate these individuals so they can contribute to the organization on a more strategic level. It’s all part of building a culture of cybersecurity into the organization and recognizing that investing in cybersecurity is not about sunken costs, but about investing in the future of your organization.