With more executives identifying security as critical for enterprise revenue growth, the CFO needs to be comfortable handling cybersecurity investments that provide defensible performance and outcomes to busi-ness stakeholders, according to Gartner, Inc.
During the session, “CFO: Manage the Business Value of Cybersecurity Investments” at the recent Gartner CFO & Finance Exec-utive Conference today, Paul Proctor, distinguished vice president analyst at Gartner, explained to attendees how to develop an approach to cybersecurity that balances protec-tion with running the business.
“There is no such thing as perfect protec-tion,” said Proctor. “No matter how much an organization spends, it can still get hacked the next day, so the real question is: can finance leaders defend the choices they have made on cybersecurity to their key stakeholders?”
Executives must develop a cybersecurity posture they can defend to shareholders, to reg-ulators, to employees, customers, and partners, in the event of an incident. Doing so results in more effective cyber protection. The best way to do this is to treat cybersecurity as a business investment.
This means that CFOs need to determine the business value of cybersecurity using outcome-driven metrics and a business value benchmark. “The emergence of protection level benchmarks is a critical step in the development of a cybersecurity standard of due care,” said Proctor. This enables CFOs to make informed cyber-security investments that balance the need to protect and run their business while also better managing chief information security officer (CISO) demands for budget.
“Treating cybersecurity in a manner that reconciles measurable levels of protection with the needs of the business, which are called Protection-Level Agreement (PLA) decisions, creates a defensibility of their implementa-tion,” said Proctor. “This kind of defined agree-ment leads to better cybersecurity investment decisions, better execution and a safer world overall.”
For example, instead of reporting on the number of attacks an organization receives, executives should report on the number of days to patch critical systems. This has a direct line of sight to the value proposition of patching, which is to limit the number of days a vulnerability is available for hacking. Then executives can weigh the cost of faster patching against the reduced risks to critical systems which is a business decision based on a measurable level of protection.
“If an organization’s PLA is for 30-day patching of critical systems, and those systems get hacked via an unpatched vulnerability after 35 days, that is a control failure: security and IT have failed to deliver on the agreement,” said Proctor. “However, if the same vulnerabil-ity is hacked in 25 days, that is as a result of a business risk decision: a concrete, measurable, enforceable assertion of risk-appetite.”
There are two measures of cybersecurity value, first is operational value delivery, and second is the target level of protection. Both are important to create defensibility for exec-utives. Did they pick defensible targets? Did IT and security deliver their desired level of protection?
“The organization must make conscious decisions regarding what it will do, and more importantly, what it will not do to protect itself,” said Proctor. “Residual risk must be accounted for, and as the business grows, CISOs, CFOs and other executives must con-tinually reassess how much risk is appropriate.”
Learn more at Gartner.com.
