March 2, 2015 By Derek Brink 3 min read

A series of workshops with information security leaders from well-known organizations at the NG Security U.S. Summit in December 2014 uncovered some valuable insights that can help chief information security officers (CISOs) drive a self-improvement agenda for their enterprise security teams in the year ahead.

What Is the Business Value of Information Security?

The workshops began with a simple but essential question: What value do CISOs believe their information security programs provide to their respective organizations? The business value of information security is always expressed in one of four high-level categories: enablement, risk, compliance and cost. As expected, group discussions touched on all four of these traditional categories for business value. Like the leaders of any business function, CISOs are regularly asked to address some pretty basic questions with the organization’s C-level leadership. What do you do? How much does it cost? What value does it provide? Answering these questions is how CISOs become and remain relevant.

How Is Business Value of Information Security Communicated?

Approaches to the communication of business value varied widely from one organization to another, as did their perceived utility and success. The following are some mechanisms included:

  • Budgeting;
  • Benchmarking;
  • Risk modeling;
  • Reporting for the periodic demonstration of compliance;
  • Metrics and dashboards of performance against preselected outcomes and ongoing trends;
  • Technical validation of security controls by means of scanning and testing;
  • Threat intelligence and other information sharing initiatives to track the security threat landscape;
  • Governance activities.

One important insight from the workshop discussions was that the absence of questions or objections from business leaders with which security leaders are communicating is often mistaken for understanding, acceptance or approval. However, awareness is not understanding, and silence is not approval.

Successes and Gaps in Providing and Communicating the Business Value of Information Security

Another important point from the workshops is that security professionals are very good at communicating the things that are important but not necessarily strategic (compliance and cost). However, they are not always so good at communicating the things that are highly strategic (enablement and risk). It’s important to understand the difference between whether something is strategic or merely important. An activity can be important to the business, but it may not be strategic; for example, every company needs to have a payroll system, but having a payroll system is not how a company differentiates itself from its competitors and delivers value to its customers.

With this in mind, a second insight from the workshops is in the placement of the four categories of business value provided by information security in a simple two-by-two matrix. The strategic business value provided by information security is on the y-axis, and the effectiveness of communicating is on the x-axis. In plain language, security leaders need to communicate more effectively about the things that matter most.

For example, we are very effective at communicating about things that are important but don’t have any high strategic value, such as compliance and cost, which participants placed in the lower-right corner. When it comes to the things that have high strategic importance to the organization — such as enablement and risk, which participants placed in the upper-left corner — we currently aren’t very effective.

Obviously, we want to move the latter from the upper-left to the upper-right over time.

Top Challenges for a Self-Improvement Agenda

Unsurprisingly, workshop participants identified risk and enablement as their biggest challenges, along with enhanced visibility, which makes a positive contribution to both. For several examples of the initiatives that are being implemented or considered to help improve these three areas, the full research report, titled “Flash Forward: Self-Improvement Agenda for Security Leaders,” is freely available.

Perhaps the most important takeaway from these workshops is the confirmation that the next generation of security leaders needs to bridge the gap between technology and business. Deliberate, continued progress down this path should be part of the self-improvement agenda that CISOs set for their organization for 2015 and beyond.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today