Last Updated on August 12, 2022
Information security provides value preservation by protecting your organization’s sensitive data. But information security done right can also create value, such as helping to increase revenues, improve competitiveness, open up new business opportunities and attract new customers.
The foundation for creating business value with cybersecurity investments is aligning security activities with the overall business strategy and having a clear, longer-term roadmap that guides your program over a multi-year period. But how can you convince your CFO and other senior leaders to take this long-term view when they may favor a quick fix/reactive approach?
To help security and business leaders understand and communicate the value creation potential of cybersecurity, James Fair, SVP at Executech joined a recent episode of The Virtual CISO Podcast. The podcast host is John Verry, Pivot Point Security CISO and Managing Partner.
Value creation parameters
Communicating with the C-suite about cybersecurity value creation means speaking in business terms.
For clients that have larger IT budgets, a key benefit of better security (as well as a strategic goal for IT) is improved uptime.
“Let’s not wait until something breaks,” says James. “We have a lifecycle in all of this stuff. What if we replaced it before it broke?”
For SMBs, James suggests finding a way to illustrate upfront how security and other IT expenses can fit within an agreed budget.
“We come to them and we say, ‘You need endpoint protection and new switches and a next-generation firewall,’ and they get the deer-in-the-headlights look,” James relates. “And it’s like, ‘There’s no way.’ So now we can come back and say, ‘Alright, let’s put this into a budget that makes sense.’ And they can start to have more predictable IT costs in both of those scenarios.”
The benefit of guidelines
Another value creation benefit of taking a strategic approach to cybersecurity is that it creates a set of guidelines that people can use to make consistent, synergistic decisions on what to do and what not to do over time, so that every step taken is aligned with the desired end state.
“Part of making IT and information security value creation, not just value preservation, is making sure that your IT and information security architectures are where you need to be, to get to where your company wants to be in three years,” explains John. “So, if you’re working with a client that’s intending to scale and wants to double or triple in size, if they don’t have a strategy and if that strategy isn’t aligned with a long-term goal of getting them there, what they’re going to find out is that their IT infrastructure is not going to be where it needs to be when they need it to be there. Same concept on the information security side.”
The podcast episode with James Fair is available here.
Want some pointers on how to bridge the communication gap between business and cybersecurity leaders? Here’s a great blog post for you: Bridging the Gap Between Cybersecurity and the Business World