InfoSec Strategies

How to Measure the Value of Information Security

Screen Shot 2022 08 10 at 5.26.01 PM
Reading Time: 3 minutes

Last Updated on August 10, 2022

The value preservation aspect of cybersecurity is obvious.  But forward-thinking professionals also see the value creation aspect of a robust cybersecurity posture that aligns with business goals. Cybersecurity is the foundation of protecting sensitive data and providing peace of mind. But how does it create value for the organization? And how can we measure that value?

Tracking the return on investment in cybersecurity can be challenging. Much like auto insurance, you gain the most obvious value when something goes wrong—however, that doesn’t mean insurance isn’t valuable during times of smooth sailing.

James Fair, Senior VP at Executech, shares insight into the value of compliance, measuring ROSI, the Return on Security Investment, and budgetary considerations in cybersecurity.

Join us as we discuss:

  • The value of cybersecurity vs. the costs of a breach
  • Convoluted cybersecurity budgets and industry averages
  • How compliance with cybersecurity regulations supports both value preservation and value creation

The value of cybersecurity when it all goes wrong

Most people think about cybersecurity in terms of value preservation. When there is a breach, cybersecurity is there to ensure there is minimal data loss and downtime. This idea of saving time and money is usually most prevalent when companies weigh the pros and cons of security investments.

But, where there is value preservation, there can be value creation.

Cybersecurity potentially creates just as much value as it preserves. James Fair helps to make sense of this value creation by explaining that there is a growing value to proving your organization is secure. For example, some cyber liability insurance policies offer discounts when businesses employ specific security tools or align with trusted frameworks like ISO 27001.

In addition, certain orgs will only work with businesses that can show that their systems are secure. With increasing opportunities for various levels of security certification, high-level enterprises and government agencies are choosing to partner only with the safest ones.

Certification of compliance with cybersecurity best practices offers a compelling way for businesses to display a badge of cybersecurity fluency. But this doesn’t mean that you have to invest in every shade of cybersecurity. Instead, weighing options and risks provides the most coverage for your specific needs.

“If you’ve got a list of possible attacks for your industry, an estimated likelihood of those attacks, and the severity in the event of such an attack, then you’ve got a matrix you can work with.” — James Fair

By carefully selecting the best cybersecurity options and systems to implement within the context of your business, value can be created through competitive differentiation while optimizing the associated financial investment.

Deciphering cybersecurity budgets and industry averages to develop a strategy

To create value from cybersecurity, you need to align your investments with business goals. For example, you should identify an ideal client for your products or services and investigate their cybersecurity needs and expectations.

It may not be necessary for your organization to invest in becoming ISO 27001 certified if your customers do not require this level or type of protection. However, if you plan to compete for DoD contracts, you may need to spend a greater portion of your overall budget on acquiring the required certifications, such as CMMC certification.

“Your strategy needs to be prioritizing adaptability and confidentiality—privacy, safety, reliability, and upskilling leaders and security.” — James Fair

Regardless of who your business serves, your leaders must complete a careful analysis of client needs to define the budget that should be dedicated to cybersecurity and how that budget should be applied company-wide.

Investing in cybersecurity does not always require achieving specific certifications. Instead, the budget can be used to increase training, test systems, and build security internally and externally if that best benefits your organizational structure and goals.

Supporting value preservation and creation with compliance

Ultimately, cybersecurity creates and preserves the most value when the organization verifiably complies with security practices and expectations.

The number of breaches continually increases with each passing year, as is the average loss every business experiences. With approximately 80% of businesses experiencing cyber attacks, achieving “continuous compliance” is only becoming more critical. But it’s essential to recognize that this compliance saves organizations time and resources when an attack occurs and offers increased value when all is well.

“Let’s make sure we’re also considering what happens when an attack happens, not only how we prevent it from happening.” — James Fair

Too often, cybersecurity measures aim only to protect the organization from a breach, focusing on how they can keep the bad guys out. Unfortunately, too little focus is given to the portion of the plan that defines what should be done when the bad guys get in.

Creating a strategy that results in the most value creation requires a robust plan considering each possibility. While ensuring utmost security in exterior barriers may be a helpful approach, it should be paired with proactive response steps like Zero Trust architecture.

The best way to ensure all bases are covered in preventative and responsive planning is to comply with widely used, researched, and endorsed cybersecurity best practices.

What’s next?

To get every word of this provocative conversation with James Fair and John Verry, click here.

 

vCISO Roadmap ThumbnailConsidering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.

Download our vCISO Roadmap now!

Back to list

Related Posts

Leave a Reply

Your email address will not be published.