The Business of Cybersecurity: How Security Programs Drive Business Results

Surprisingly, many organizations have yet to move beyond the traditional compliance-driven approach to cybersecurity. However, to address today’s risk of a cyber breach — which can lead to an organization’s data being compromised or a disruption to business operations — cybersecurity organizations need to focus on delivering the level of security required to protect corporate assets and align with the strategic goals and objectives of the business. 

This blog series focuses on that very thing: defining, establishing and managing an organization's cybersecurity posture to deliver the results needed for the business to be successful. 

Obtaining certifications and having an operational focus aren’t enough to accurately represent the defense against a data breach, and they fail to demonstrate the potential impact to the enterprise. This compliance-driven approach does not provide a comprehensive view of the organization’s security capabilities, nor does it help position business leaders to make informed decisions on the level of investment required in cybersecurity to support their goals. Ultimately, the mission for security teams should be to mitigate the likelihood and potential business impact of a breach while supporting an organization's strategic goals and business objectives.

With the complexities of delivering an otherwise seemingly simple mission statement — and the resistance to committing to the level of security their services provide — security organizations often quantify their benefits through the attainment of certifications (e.g., PCI, SOC2, ISO) or by tracking against operational metrics (e.g., number of known vulnerabilities, percentage of systems patched, number of pen tests conducted). The former is an attempt for the security organization to transfer accountability to a third-party auditor, and the latter to the business owner. This is where cybersecurity organizations not only miss delivering on their mission, but they also devalue and commoditize their contribution — which is even more damaging to how the business views their services.  

Part of the difficulty is quantifying both the likelihood and the business impact of a breach prior to a breach occurring, and this complexity only grows when positioning information to senior leaders so they can make an informed, risk-based decision on how much to invest in their organization's security posture in alignment with their business strategy.  

The challenge for security teams is in defining, establishing and managing the organization's ability to reduce the likelihood and impact (whether it be financial, brand equity or operational) of a breach as a function of the total potential exposure — in short: defining, establishing and managing an organization’s cybersecurity posture.

Requests for security investments are often accompanied by proclamations of “but we can't guarantee there won't be a breach.” The business isn't looking for guarantees, as they have very few guarantees in any part of their business strategy and its execution. What they’re looking for is the opportunity to participate in decisions and confirm that the size of the investment matches the mitigated risk.  

If the security organization delivers only on the execution of cybersecurity transactions, how can they measure the value to the business? The best they can do is focus on driving down the cost of their security services. The question your business partners want answered is:

“What is the likelihood that we will have a breach, and if we are breached, what is the potential impact to our business?” 

If you’ve read this far and agree that cybersecurity organizations need to: 

1. Evolve beyond compliance programs and operational security service metrics
2. Be relevant to their business partners’ efforts to deliver their business outcomes and objectives
3. Provide a security posture that manages the likelihood and potential business impact of a breach in alignment with an organization's strategic goals and business objectives 

...then we’re ready to explore how to execute the transformation of your cybersecurity program by defining, establishing and managing your security posture. In upcoming blog posts, we’ll begin with an overview of each of these three areas, and then move to take a deeper look into their implementation and execution.

----------------------------------------------------
Thanks!
Brian Spanswick