Longtime security chief Pamela Fusco wanted to more clearly quantify the business value that her cybersecurity program provided to her former employer, a pharmaceutical company. So, she came up with metrics that do just that.
In one case, she focused on how her team’s efforts impacted the company’s speed to market, calculating how her department’s swift work to securely onboard an acquired company (whose intellectual property was instrumental to advancing a drug in the pipeline) tied in with business objectives.
“It was all about go-to-market and how security is helping or hurting that timeline. That’s all about business value,” says Fusco, a serial CISO and Information Systems Security Association (ISSA) board member.
Fusco says such metrics provide a clearer picture of how the security team’s work and its budget not only protect the company but actually support its top and bottom lines.
“You really want to show what you’re doing to grow the business,” Fusco says. “We [cybersecurity chiefs] don’t always articulate the business value of what we’re doing, so we sometimes have to be a bit creative to give them information, not just numbers.”
It’s not always easy for CISOs to demonstrate business value
Like all executives, CISOs use various metrics and key performance indicators to assess their effectiveness and progress toward meeting objectives.
But unlike leaders in other lines of business, whose contribution to revenue and profit can be more directly measured, CISOs have fewer ready-made metrics to demonstrate value in ways that most non-technical workers fully understand.
Case in point: the metrics CISOs typically use to measure their department’s performance, such as patching cadence. Although those help security leaders measure their own team’s effectiveness, they don’t usually provide a compelling story of security’s value to the organization to others in the C-suite and board members.
“Building metrics is a kind of art,” says Pablo Ballarin, who as co-founder of BALUSIAN, S.L. works as a CISO, cybersecurity adviser, and ethical AI consultant
“It’s a kind of art, because it’s a construction. You are constructing a story with parts of different things you do and with data, and data that comes from many places. The story isn’t that there are many vulnerabilities or attacks, you have to put it into some context. And you have to be sure of how the context connects to what the company is doing and the risk to the company. That’s easily said, but it’s very complicated to do.”
Constructing a story that shows security’s worth
Constructing a story from the data points has become a more pressing issue for CISOs, as more of them report to directors and do so more frequently.
The “2024 CISO Survey Report” from executive search firm Hitch Partners found that nearly 40% of CISOs at privately held companies report to the board quarterly, with another 13% reporting semi-annually, 11% reporting annually, and 11% upon request.
That same survey found that 48% of CISOs at publicly traded companies report to their boards quarterly, 22% semi-annually, 11% annually, and 8% upon request.
As more CISOs report to boards, those board members are saying they want more clarity on the returns on their cybersecurity investments. “Otherwise, the board will tell you: ‘You’re telling me a lot of things you’re doing but I don’t know if they’re worth doing,’” says Ballarin, who is also a member of the Emerging Trends Working Group with professional governance association ISACA.
Analysts at research firm Gartner called out the need to create better metrics in a 2023 report, “Effective Metrics Practices for Cybersecurity Leaders”, saying “Security metrics should effectively tell the story of cybersecurity’s enterprise value.”
“Security and risk management leaders recognize this but struggle with communicating technical data in a way that makes sense to a range of audiences with different skills and priorities,” the report said. “As a result, C-suite executives and boards of directors often have more questions than answers when presented with security metrics, and cybersecurity can be perceived as a technical hurdle rather than a strategic asset for reaching business objectives.”
Demonstrating how a faster recovery gets sales back on track
Gartner advises cybersecurity leaders to ensure “that metrics clearly connect to business outcomes” by “using outcome-driven metrics to illustrate how security aligns with enterprise goals” and metrics “to assess current capabilities and identify areas for improvement” as well as by tailoring metrics to their audience’s priorities.
Ballarin has been working with a retail company and its new cybersecurity officer over the past year to develop metrics that more clearly demonstrate business value than many of those long used by CISOs and their teams.
For example, instead of reporting figures relating to the applications connected to active directory, which Ballarin says doesn’t speak to security’s impact on business success, the security leaders share how investments in incident response and recovery have shortened the downtime that could be expected in the case of an event and — more to the point — the dollar value of how many more sales could happen as a result of the faster recovery time.
“This shows that even though I can’t protect against all the attacks, that if a disaster happens, we have tested what everyone has to do and we can tie that to the [better] recovery time and the business value of being able to recover in a shorter timeline,” he explains.
Better metrics mean more effective communication
The movement to metrics that speak to business value does not negate the need for the longstanding metrics that security teams have used, Fusco and others say, noting that mean time to detect (MTTD), mean time to resolve (MTTR), mean time to contain (MTTC) and other foundational measurements are still important and informative.
“But what I think is most important is understanding what you want from a metric and knowing what it proves,” Fusco says. “You don’t want to be just showing numbers that don’t mean anything.”
“That’s what you have to base your metrics on,” she adds. Her use of metrics to illustrate security’s value to M&A activities speaks to all those factors. “At the end of the day [the business] wants to know our overall state of risk. That’s your story at the end of the day.”
As CISOs use more business-oriented metrics to quantify the returns on security investments, they can more effectively communicate security strategies, their costs, and their expected outcomes.
“That gives us the ability to make informed decisions,” Fusco adds.
Gartner agrees, noting in its “Top Trends in Cybersecurity for 2024” report that “outcome-driven metrics are increasingly being adopted to facilitate more effective cybersecurity risk and investment decision making.”
Aligning cybersecurity to business success
CISOs who are using outcome-driven and business-focused metrics acknowledge the challenges of developing such measurements. They say there are few, if any, formulas that are universally applicable, noting that CISOs need to work with their executive colleagues to identify the best avenues for quantifying and qualifying how cybersecurity efforts impact and improve the organization’s economics, competitiveness and/or market position as well as its risk posture.
“Aligning security activities to business success is different for different organizations, and it’s easier in some industries than others,” says Mandy Andress, CISO of technology company Elastic.
Andress leans on the FAIR standard from the FAIR Institute to create metrics to share. FAIR stands for Factor Analysis of Information Risk, described as “the only international standard quantitative model for information security and operational risk.”
Andress says such calculations have been informative about the value of security investments not only for the C-suite and the board but also for her own security team. As an example, she points to her use of the FAIR standard to analyze the company’s risk exposure related to phishing attacks. She measured the expected returns of a few different controls which could be used to limit risk and found that the approach her team thought would deliver the most value was actually outperformed by another.
Connect the dots from security to business outcomes
Such financial calculations help all enterprise leaders better understand the value of the security program and can better prioritize limited resources.
Security leaders say CISOs can demonstrate how their strong security postures can edge out competitors to land deals where security reviews are part of the evaluation process. CISOs working for companies doing acquisitions could show how their security efforts speed integration and, thus, boost market value.
Or CISOs may need to perform more abstract calculations, such as demonstrating how security efforts lower the risk of reputational harm associated with an incident and calculating the dollar value of preventing the financial losses that would have happened with a damaged reputation.
Whichever options CISOs pursue, the point is to “connect the dots from security activities to the business,” Andress says. “That’s based on understanding your business, the risk landscape, probability and the costs related to that. And that allows you to have conversations around security priorities, to decide budgets and roadmaps based on that quantification perspectives.”