CISOs must prove the business value of cyber — the right metrics can help

For most organizations, cybersecurity has always been seen as a cost center rather than a business enabler or revenue driver. Executives perceive cybersecurity as a necessary evil that pulls funds away from more important, income-generating functions like marketing and product development, even though cybersecurity budgets only amount to a small fraction of these costs.

This perception has only grown more acute over the years, even as CISOs gain access to their boards and CEO’s. Which is why, in multiple studies, including one from Ponemon Institute and Open Text, security leaders consider “using metrics to demonstrate the business value of the IT security program to the business” as their top priority.

But getting the right metrics using language and benchmarks that business leaders can assimilate doesn’t come easy to most cyber security leaders, especially for CISOs who hail from technical backgrounds, say experts.

Champion an enterprise risk management function

Cybersecurity leaders who report up to the IT department in organizations that lack a proper enterprise risk management (ERM) function have a particularly hard time proving value, according to Michael S. Oberlaender, a CISO with 25 years of experience who’s authored several books on CISO leadership. His writings are based on experiences working with boards and the C-suite devising and tracking cyber security metrics within the ERM function.

“At several companies I’ve worked for I’ve had to help them create an enterprise risk management function. To do that, I find great allies among the business leaders and work with them to align cyber risk with business priorities,” Oberlaender notes. “In other cases, I use and maintain a documented risk register and present that in my regular board meetings — here are the metrics within our assigned and managed risks and here are the risks we have not yet decided upon.”

With a foundational ERM program, and by aligning metrics to business priorities, cybersecurity leaders can ultimately prove the value of the cyber security function. Useful metrics examples in business terms include maturity, compliance, risk, budget, business value streams, and status of SecDevOps (shifting left) adoption, Oberlaender explains.

But how does a cybersecurity expert learn what’s important to the business? They get out of their comfort zones. Or, as Oberlaender puts it, they go from department to department to learn about business priorities, then roll that knowledge up to higher groups and functions, ultimately reaching the board of directors.

Cybersecurity as a business function

“The challenge has been that security is put in the wrong organizational structure — with the CISO reporting to the CIO or CTO or chief digital officer,” Oberlaender says. “Security is not foremost a technology problem. Maybe ten or twenty percent is technology. But the rest is people, process and the business. So, it takes CISOs years to change the culture.”

This rings particularly true when it comes to cybersecurity metrics, which in most cases rely too heavily on technical statistics and FUD (fear, uncertainty, and doubt) that befuddle business leaders and do little to prove the value of the cybersecurity function, says Chris Hetner, senior cyber risk advisor for the National Association of Corporate Directors (NACD) that serves a 24,000-member board room community.

“The board is fatigued. Board members are increasingly questioning if that capital is distributed effectively. But the CISO responds with this highly technical set of metrics they neither care for nor understand,” Hetner explains. “There is fatigue in the audit committee, in the board room, and among chief executives who, even after all these years working with security executives, still have limited visibility into where cyber security budgets are being deployed, let alone understanding how these investments reduce business risk and operational exposure.”

According to Hetner, all but the most regulated, risk-adverse industries (such as finance), usually lack an ERM function, which he defines as a critical conduit for the CISO to align security metrics with business, operations, financial, and regulatory requirements and eventually board engagement. Without that layer, CISOs operate in their own islands, which negatively impacts their ability to present the right metrics to their business leaders. To get started, he points out how frameworks like the COSO ERM framework ties into cyber security frameworks.

“Boards are faced with complex matters such as impact on interest rates, tariffs, stock price volatility, supply chain issues, profitability, and acquisitions. Then the CISO enters the boardroom with their MITRE Attack framework, patching metrics and NIST maturity models,” Hetner continues. “These metrics are not aligned to what the board is conditioned to reviewing.”

Hetner, who spoke with CSO just after interacting with hundreds of board members at the annual NACD Summit, says that those members want concise reports on prominent threats impacting their industry group. So, when Hetner brings in benchmarking and insights to boards and CEOs, he reveals how these threats would impact their business, operations, uptime, and financials versus the cost to prevent and protect against these industry-wide threats.

“Boards love benchmarking against peers. They’re conditioned to look at benchmarking data. That’s what they do on compensation and competitive advantage and proxy disclosures. Why shouldn’t they be doing this for cyber?”

Compare metrics against their risk appetite

Nick Nolen, VP operations and cybersecurity strategy at consulting firm Redpoint Cybersecurity Services, comes from an operations background. From this perspective, he sees the board getting more involved in risk posture. He feels that this is a good sign for business-level cyber maturity.

Rather than just asking “are we secure?” business leaders are asking what metrics their cyber components are using to measure and quantify risk and how they’re spending against those risks. For CISO’s, this goes beyond measuring against frameworks such as NIST, listing a litany of security vulnerabilities they patched, or their mean time to response.

“Instead, we can say, ‘This is our potential financial exposure’,” Nolen explains. “So now you’re talking dollars and cents rather than CVEs and technical scores that board members don’t care about. What they care about is the bottom line.”

Nolen and his team use a proprietary, data-driven model to help calculate costs and financial exposures associated with cybersecurity programs. So, after conducting their assessments, they focus on critical gaps that most severely impact the business. Then they calculate that risk against 115 internal and external data sources.

“Business leaders don’t care about the controls like MFA and the thirty other controls we’re spending on. They care about improving the company’s financial stability by securing critical business systems,” Nolen adds. “So, instead of a block of risks, we can show a risk curve before and after we strengthened controls. In one case, we showed a 40% reduction in total cyber loss exposure over six months, and the CEO asked, ‘We lowered risk by almost half?’ That’s a powerful metric.”

With the right calculations between business, risk, and potential losses, he shows the financial value of critical business risk exposure. So, if an organization is carrying $50 million in risk, its cyber insurer will only cover $25 million in a breach. Of that, what is the organization’s risk appetite?

If the client needs to take that $25 million uninsured risk down to $10 million, they identify and calculate the cost of measures to reduce that risk. In other cases, they look at ROI based on risk reduction and how money is spread out across those programs. For example, one program may be returning 120% on investment, but another may return 800%, so that gets bumped to the top.

“The market is finally shifting from fear-based, reactionary selling — from CISOs talking technical terms the CEOs and CFOs don’t understand,” Nolen adds. “Now, CEOs and boards want to clearly understand business risks and potential exposure in metrics they are used to — probability, impact, and loss ranges — while also using business intelligence to drive value.”

How to choose key metrics

The desire among CISO’s to prove the value of their programs prompted identity provider Okta to develop a report with input from several of its CISO Forum members. The report, a practical guide for proving the ROI of cybersecurity programs through business metrics, offers good, digestible advice from leading CISO’s on how to choose key metrics and KPIs (key performance indicators), including how to build strong relationships with stakeholders, how to tailor messaging to the audience, and how to tell a powerful story.

Ultimately, says Matt Immler, regional CSO for the Americas at Okta, “The board wants to know, ‘At what point can we stop spending and know we’re secure?’” That answer may be “never,” but CISO’s need to realize that’s a true pain point for business leaders. “That’s why we developed the report, because it’s so hard to quantify to a board or any sort of leadership or budget office what type of security metrics they can utilize to prove the value of the program.”