Use the right cybersecurity analytics to make a business case for risk management

Eric Cisternelli | December 30, 2020 | tag: Security Ratings

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year as a “check the box” exercise to maintain compliance with regulations. Overall, however, cybersecurity analytics didn’t really garner much attention.

That changed in 2020. In the wake of the pandemic, cybersecurity incidents rose and became more sophisticated with phishing campaigns and ransomware attacks becoming more prevalent. Industries like healthcare and scientific research were particularly hard hit, but no sector was spared. The year culminated in the exposure of the SolarWinds breach, possibly the largest and most consequential third-party breach ever.

The rise in threats made executives take more notice of the way their organizations are using cybersecurity analytics to mitigate risk and reduce threats to their businesses. A recent survey by PwC shows that 96% of executives have shifted their cybersecurity strategy due to COVID-19, indicating a new seriousness about cybersecurity among the C-suite. That same survey discovered that 55% of respondents lack confidence their cybersecurity spending is allocated towards the most significant risks. This is in line with Gartner research indicating boards are asking for increased data and accountability into what their significant investments in cybersecurity technologies have bought them.

Using cybersecurity analytics to gauge performance outcomes

Executive leadership may very well look at recent cybersecurity attacks in both shock and wonder; shock at the scale and implications of the attacks; and wonder about how, with average annual cybersecurity expenditures numbering in the hundreds of millions of dollars, these attacks even took place. They may ask, where is all of that money going? What is it getting us?

Answering those questions requires cybersecurity analytics that tie organizations’ overall risk and security postures directly back to business outcomes. CISOs and their security teams must be able to dig deep into their performance cybersecurity metrics and use that data to address several key points that are top of mind with company leadership:

  • How does cybersecurity performance compare to competitors or the company’s industry as a whole?
  • How did the company’s cybersecurity performance improve over last year? (This is a particularly compelling question to be able to answer, especially in light of the rise in attacks over the course of 2020)
  • Did the time it takes for the organization to patch known vulnerabilities and address security concerns increase or decrease?
  • Is the organization more or less at risk from our third-party vendors?

In other words, it’s not enough to capture the risk the organization faces, and mitigate that risk. CISOs must showcase the business outcomes their cybersecurity initiatives are driving. Essentially, they need to make a case for their cybersecurity initiatives and show they are making a tangible, demonstrable difference in their organizations.

This requires more than a report proving the company mitigated 10,000 phishing attacks over the past year. While that sounds impressive, those numbers mean nothing to executive leadership without some form of context into how that mitigation impacted the business. Leadership needs metrics that show their cybersecurity dollars are being well spent. Tools that offer security performance management and third-party risk management help because they provide perspective into how organizations are doing relative to their markets and overall risk levels.

Executives are business experts, not cybersecurity professionals

When presenting these metrics, it’s important for CISOs to remember who they’re talking to. Just because leadership might have a vested interest in their organizations’ cybersecurity initiatives doesn’t mean they understand (or even want to understand) everything that goes into those initiatives. Hence, it’s important for information to be presented in a highly consumable way that allows top executives and board members in their language. (Either through a cybersecurity dashboard or easy to digest reports)

Business leaders respond to numbers. CISOs must present them with measurable metrics that show that cybersecurity efforts are working and positively impacting their bottom lines. Analysis surrounding reduction in the number of cybersecurity incidents over a period of time, or how cybersecurity efforts have led to reduced risk or business growth are good data points to share. Establishing clear and measurable goals and KPIs is also important to establish accountability and show the cybersecurity team is hitting its marks.

Learn more

There are many more strategies CISOs need to consider as executives continue to hone in on the effectiveness and ROI of their organizations’ cybersecurity programs. Many of these strategies are detailed in our complimentary ebook, CISO’s Guide to Reporting to the Board. In it, CISOs will learn about how to validate their cybersecurity efforts to organizational leadership in ways that will resonate with top executives and board members.

That resource is and will undoubtedly continue to be more important than ever. Because cybersecurity is no longer an afterthought, and the executive suite is paying close attention.

Suggested Posts

Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year...

READ MORE »

A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has...

READ MORE »

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...

READ MORE »

Subscribe to get security news and updates in your inbox.