Communicating the value of Cybersecurity to senior management and Board Members is often challenging; after all, if you are doing your job right, there may be questions as to whether it’s actually necessary to expend the kind of resources on your CS efforts. It’s natural that budgets will be eroded over time as business minds take cybersecurity for granted and focus on their bottom line. After some discussions with peers and some research, I’ve come up with some metrics that I hope may help communicate the value of your efforts to the business. I’d be very interested in your feedback. What have I missed? What could I describe better?
Time is Money
When it comes to end users, the implementation of security measures is often seen as a way to slow down productivity. We tell users to slow down and think before clicking a link or use different passwords for different applications, but cybersecurity doesn’t have to be a time-consuming exercise.
Using products that implement secure use of business systems, such as FIDO Alliance compliant security keys and Password managers that won’t input sensitive passwords into phishing sites and encourage the use of secure, unique passwords, will also shave minutes off a person’s day. That doesn’t seem like much, but let’s do a quick analysis. Imagine that a user is being paid $50 an hour. They log in to an application three times a day and use a Yubi Key that saves 30 seconds each time. Taking an average of 20 working days a month, you can demonstrate that the Yubi key will save 30 seconds 720 times a year (3x20x12) that’s 360 minutes a year, or 6 hours. At $50 an hour, that’s $300. A Yubi key at the time of writing, a basic Yubi key costs $50 (Other keys can be significantly less; check out the FIDO Alliance page to find alternatives). The maths isn’t difficult: implement two basic $50 keys (to account for loss) among 500 employees, and you’ve just saved the business $100,000 per year. While at the same time significantly improving the security of the business and reducing user frustration.
Demonstrating how security programs can actually be beneficial to the business outside of simply keeping people safe is a key way to gain Senior Management support.
Security Culture
Assessing and enhancing the cybersecurity knowledge of your staff can significantly reduce the risk of security incidents. While they’re often referred to as “the last line of defence,” we should surely argue that employees serve as the first line of defence. The way they manage security within the company directly impacts the level of risk the business faces. A culture of complacency within the organization can lead to an increase in risky behaviours, resulting in increased costs associated with compensatory security measures.
Measuring the shift from a complacent culture to one that prioritizes security can provide a valuable metric for quantifying the reduction in risky activities. Therefore, investing in employee training and regularly assessing their comprehension of their role in the company’s cybersecurity efforts can provide valuable insights. These insights can then be presented to the board as a means to demonstrate how risk is being reduced over time.
Value Delivery Speed
Selecting security products, such as SIEM systems, that can successfully integrate with other security controls will significantly reduce the time between detection and containment. According to the IBM Cost of Data Breach Report 2023 (p.14), the average time between breach and detection is 204 days, and from detection to containment is 73 days. Integrating your solutions can significantly reduce both, reducing the cost of that breach. According to the same report, 62% of the cost of a breach is in the detection and escalation phases. Automating these will reduce the overall costs by ensuring that your technology delivers value at speed, thus reducing the overall cost of breaches.
Progress Towards Compliance
With the GDPR and other regulators ready to hand out huge fines (The EU GDPR sets a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for infringements.) and PCI DSS ready to hand out penalties that include: $100,000/month, up to $5 fee per replacement card, legal costs and investigation and audit costs, investing in technologies that improve compliance can appear cheap in comparison.
If a retailer has a turnover of a million credit card transactions per year, then $20 million for the cost of replacement cards might be significantly more than the cost to the business of becoming and remaining compliant. Quantifying these costs will help your board members and senior management understand the benefits of the CS program and its costs. Presenting this as a journey and providing a progress report is likely more meaningful to Senior Management.
It’s not only mandatory compliance that is important. Your field of business operation may find compliance with Standards such as ISO 27001 will add business benefits, increasing your value to customers. Both internal and external audits will provide items that might get added to the Risk Register or need to be addressed in other ways. Reporting on Audit findings and Risk Register items completed or progress to completion will effectively demonstrate your focus on the risks the business deems in need of addressing. If you can demonstrate which solutions address which risk items, you can start to justify the associated expenses by comparing the cost against the potential costs of not addressing those risks.
Dark Web Monitoring
With a program of monitoring Dark Web databases for usernames and passwords, a business can proactively change passwords for accounts involved in password breaches and use this information to detect breaches by focusing on risky account behaviour.
One username appearing on the Dark Web might indicate a user who has been using their user details on an external site that has been breached, so tracing the activities of that account within your network might be sufficient to ensure threat actors have not used the breached account, or if they have used it, trace their actions and respond appropriately. Multiple user accounts appearing in a database may indicate that a breach has already occurred within your organisation and require you to take further action quickly.
Threat actors need to monetise their activities as quickly as possible or risk losing their access. With an average of 204 days to detect a breach, monitoring the dark web can act as an early warning to reduce breach detection time and may be sufficient to prevent breaches from escalating from damaging to catastrophic.
Down Time costs
Cybersecurity encompasses the protection of the CIA triad, which includes Confidentiality, Integrity, and Availability. In this context, Availability specifically relates to ensuring that systems and data are accessible and functional. Consequently, Disaster Recovery is a critical function of cybersecurity.
Disaster recovery involves the utilization of key metrics, such as Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), which directly impact business costs. RTO signifies the duration between the occurrence of a disaster, such as a ransomware attack, and the moment when the business can fully restore its services to an agreed-upon acceptable level. This period not only encompasses the lost productivity during the recovery process but also includes the wages of the staff involved. For example, if it takes 24 hours to bring the business back to full productivity, it results in the loss of a day’s worth of value creating work and associated staff wages.
On the other hand, RPO represents the value that was lost from the time of the disaster back to the last backup. If backups are conducted every 24 hours, the business may forfeit the previous day’s worth of value creating work and the corresponding staff wages.
In addition to RTO and RPO, it’s essential to consider Recovery Time Actual (RTA), which accounts for the actual time elapsed from the onset of a disaster to full recovery. For instance, if a disaster strikes at midnight, the RTA encompasses the time it takes to locate essential resources, assemble the disaster recovery team, hold necessary meetings, and then initiate recovery activities. RTA is a valuable metric because it provides real-world insights that can help identify weaknesses in disaster recovery planning and reduce delays through testing and exercises.
An important metric for senior management is Mean Time Between Failures (MTBF). This metric demonstrates how cybersecurity efforts enhance recovery capabilities and proactively prevent failures. By improving MTBF, you can justify both the costs associated with recovery and the investments made in preventative measures.
Creating Transparency
Threat Mitigation Reports (TMRs) serve as a crucial tool for senior management and the board to gain insight into your day-to-day activities. It’s essential to convey that a lack of reported breaches or visible business losses doesn’t equate to inactivity due to an absence of threats targeting the business. TMRs should be framed in terms that resonate with the business audience, helping them grasp the tangible impact of your efforts in mitigating risks to their business interests.
These TMRs should adopt the form of Business Impact Analyses, which involves estimating the monetary losses tied to lost productivity, the potential loss of intellectual property to competitors, disruptions in financial information that might lead to incorrect supplier payments and other losses of significance to the business. Such estimates can be weighed against security costs, offering a comprehensive view of the risks and benefits.
Following the zero-trust model, effective asset management for devices, applications, and services stands as a foundational element of cybersecurity. Understanding what requires protection reduces the likelihood and impact of breaches and trims overall cybersecurity costs by concentrating efforts on safeguarding critical assets (The “Protect Surface”) rather than constantly monitoring potential attack points. (The “Attack Surface”)
Asset management has additional advantages, notably the identification of Shadow IT, that is, IT resources that are not under IT department management and lack the same level of governance and oversight. From a business perspective, this shadow IT phenomenon has been found to exhibit a negative correlation with alignment to business strategy. Additionally, it often duplicates or underperforms compared to existing business solutions.
Research, including my own Master’s thesis, indicates that Shadow IT usage is prevalent, with the vast majority of cloud-based apps falling under the shadow IT category, effectively putting business intellectual property outside the control of the business. Essentially Shadow IT represents an insider threat, even if the threat actors are caring employees, acting in a way they feel is beneficial to the business.
In this context, you can assess the cost-effectiveness and productivity gains of Shadow IT versus IT-provided solutions. By shedding light on previously hidden business expenses, you can enhance IT budget management, realizing cost savings, boosting productivity, and implementing security enhancements. A key performance indicator (KPI) here could involve tracking the number of business-related IT solutions appearing on budgets outside the purview of IT.
Dashboards are easy to read
There’s nothing like a dashboard or graph to demonstrate a number of complex tracking objects in a fast and easy-to-read manner. A simple graph that demonstrates the business’s cyber resiliency over time can convey a concept far better than many words. A rising line shows things are getting better, and a falling line shows they’re getting worse. Tracking metrics that include mean time to respond, employee training completion and effectiveness, system uptime and recovery times and so on are all meaningful and allow a business to understand the Cybersecurity posture at a glance without understanding what the numbers actually mean. If you can tie it into business costs vs cybersecurity costs, it’s even better. Senior Management is only focused on the bottom line, so money is the universal key to delivering an effective message.