Introduction

For years, the C-suite has viewed cybersecurity as a cost center. This perception is often the biggest obstacle CISOs must overcome to successfully build a cybersecurity program. 

Yet other segments of IT have managed to shed their cost center status. Executive leadership teams now see investments in areas like cloud, big data and application development as key to digital transformation and subsequent market growth.  

While spending decisions for other segments of IT are increasingly based on strategy, investments in cybersecurity continue to be reactive and made out of fear. When looking at overall IT spending, this mentality is a costly misstep. 

In a survey of IT buyers in companies across North America and Europe, Spiceworks found that 47 percent of respondents identified increased security concerns as a top factor leading to IT budget increases. By contrast, 31 percent of respondents attributed growing business revenue to increased spending. 

In other words, organizations are spending more to protect their business than they are to grow their business. What most C-level leaders fail to realize, however, is that the two are not mutually exclusive. Cybersecurity can and should grow the business. But this requires a fresh approach, one that starts with the business.

When CISOs put the threat landscape on pause and align security initiatives to executive requirements and risk, cybersecurity can take its rightful place as a business enabler, not a cost center.

For a deeper dive, check out our on-demand webinar. WATCH NOW

Problems with traditional cybersecurity spending

Investing in cybersecurity based on the current threat landscape has a long history. Worms and viruses spawned the growth of the antivirus industry in the 1990s. In the 2000s, anti-malware companies popped up as personal financial records came under attack. In the 2010s, we saw network segmentation solutions dominate the market with the rise of advanced persistent threats. 

Time and time again, security vendors have written the script on where organizations should invest based on daily defense. With enterprises facing more types of cyberattacks than ever before, and even more cybersecurity vendors to choose from, CISOs are left to play an impossible game of whack-a-mole.

It's no wonder that CISOs' requests for cybersecurity investments are met with skepticism from CFOs and CEOs. Leadership sees a stream of expenses that can't be tied to business growth. 

To change, CISOs must take spending cues from the C-suite, not vendors.

Starting with the C-suite

CISOs often find themselves C-suite-adjacent. While there's a growing trend for CISOs to report to the CEO, many, especially at large enterprises, still report to the CIO. CISOs may have some understanding of business objectives but true C-level careabouts can get lost in translation. 

It's crucial that CISOs hear directly from each C-level leader what his or her top objectives are. 

I regularly facilitate executive alignment workshops in which CEOs, CFOs, CMOs and other C-level leaders identify the risks they believe most stand in the way of them reaching their business goals.

Each stakeholder has his or her own area of focus. For example, a CEO might identify compliance as a top risk; a CFO might identify the cost of security controls; a CMO might identify the availability and performance of customer applications. 

Often each one's top concern comes as a surprise to the other and generates empathy for the CISO. How is a CISO supposed to focus with differing opinions on what areas of the business hold the most risk? 

When it comes to business risk, common areas of concern include:

  • Market trust
  • Availability and performance
  • Culture, policy and governance
  • Compliance
  • Cost of controls
  • Data assurance
  • Security liability

After the C-suite comes to a decision on which of these is most important to them, the CISO can walk away with clear direction on where to focus. 

Aligning executive requirements to security objectives

Knowing executive priorities is one thing, but putting them into action is another. In order for CISOs to get money for security initiatives, they need to align security to the business quantitatively and qualitatively. 

Quantitatively, CISOs must determine vulnerabilities, establish a baseline for security maturity and evaluate risks against standards and best practices. 

Qualitatively, they must gather critical information about assets and risks, align executive requests to security objectives, and establish a strategy for risk program management and operations. 

This involves making a risk register that identifies control area gaps and risks in the context of impact, effort and cost. Rather than trying to tackle every gap, CISOs can focus on controls that will help the C-suite reach their business goals and are relatively easy for security teams to execute. They can see which security investments offer the greatest return to the business. 

Finding the sweet spot on the risk/cost asymptote 

One thing that's important for CISOs and the C-suite to understand is that risk is an asymptote, never approaching zero. You can spend as much as you want on cybersecurity but you can never eliminate risk completely. At some point spend and risk mitigation will intersect, after which organizations will see a diminishing return on investment.

There are four options when it comes to risk. You can either mitigate it, accept it, transfer it or ignore it. What you choose for each identified risk will depend on the level of investment and effort it takes to mitigate that risk. 

The traditional approach to cybersecurity spending doesn't observe the law of diminishing returns. It assumes it's possible to eliminate risk completely through continued spending. 

Instead, we need to embrace a model that helps us find the optimal intersection of risk and cost based on our quantitative and qualitative analysis. Plotting that point is a powerful tool for CISOs. It demonstrates responsible spending to C-level leaders, especially to the CFO. 

Mitigating risks and enabling the business

After understanding business careabouts, aligning executive requirements to security controls and conceding that some risk is necessary, it's time for CISOs to present findings back to the C-suite. This means taking top security risks and mapping them back to business risks. 

For instance, if data assurance is a top business priority and we find gaps in say data governance procedures, third-party vendor controls and encryption, then addressing those security gaps would be an excellent place to focus efforts. 

CISOs can use this mapping as a north star to make sure they are always delivering business value. It will be a point of reference, not just for CISOs but for the C-suite. Only when you have this actionable target can you invest in the right architectural tools and operational policies that will help you hit your mark. 

By focusing on these identified careabouts, the CISO has mitigated as much risk as possible and removed the obstacles preventing C-level leaders from achieving their business goals.

Conclusion

Investing in cybersecurity without a business strategy is a surefire way for the C-suite to continue to see cybersecurity as a cost center. Luckily, there are pragmatic steps CISOs can take to align to the business and build a cybersecurity program accordingly. 

Hopefully what we covered gives you some guideposts in turning cybersecurity into a business enabler. 

Just remember that the road that lies in between these posts will be different for every organization. It will be influenced by organizational structures, existing technology investments, staff skills, budget constraints and much more. 

But the basic principle remains. Business alignment is the first step today's CISOs need to take. The days of playing threat whack-a-mole are over. It's time to take aim at risk.  

After aligning to the business, it's time to evaluate your security architecture. Read more