March 2, 2015 By Derek Brink 3 min read

A series of workshops with information security leaders from well-known organizations at the NG Security U.S. Summit in December 2014 uncovered some valuable insights that can help chief information security officers (CISOs) drive a self-improvement agenda for their enterprise security teams in the year ahead.

What Is the Business Value of Information Security?

The workshops began with a simple but essential question: What value do CISOs believe their information security programs provide to their respective organizations? The business value of information security is always expressed in one of four high-level categories: enablement, risk, compliance and cost. As expected, group discussions touched on all four of these traditional categories for business value. Like the leaders of any business function, CISOs are regularly asked to address some pretty basic questions with the organization’s C-level leadership. What do you do? How much does it cost? What value does it provide? Answering these questions is how CISOs become and remain relevant.

How Is Business Value of Information Security Communicated?

Approaches to the communication of business value varied widely from one organization to another, as did their perceived utility and success. The following are some mechanisms included:

  • Budgeting;
  • Benchmarking;
  • Risk modeling;
  • Reporting for the periodic demonstration of compliance;
  • Metrics and dashboards of performance against preselected outcomes and ongoing trends;
  • Technical validation of security controls by means of scanning and testing;
  • Threat intelligence and other information sharing initiatives to track the security threat landscape;
  • Governance activities.

One important insight from the workshop discussions was that the absence of questions or objections from business leaders with which security leaders are communicating is often mistaken for understanding, acceptance or approval. However, awareness is not understanding, and silence is not approval.

Successes and Gaps in Providing and Communicating the Business Value of Information Security

Another important point from the workshops is that security professionals are very good at communicating the things that are important but not necessarily strategic (compliance and cost). However, they are not always so good at communicating the things that are highly strategic (enablement and risk). It’s important to understand the difference between whether something is strategic or merely important. An activity can be important to the business, but it may not be strategic; for example, every company needs to have a payroll system, but having a payroll system is not how a company differentiates itself from its competitors and delivers value to its customers.

With this in mind, a second insight from the workshops is in the placement of the four categories of business value provided by information security in a simple two-by-two matrix. The strategic business value provided by information security is on the y-axis, and the effectiveness of communicating is on the x-axis. In plain language, security leaders need to communicate more effectively about the things that matter most.

For example, we are very effective at communicating about things that are important but don’t have any high strategic value, such as compliance and cost, which participants placed in the lower-right corner. When it comes to the things that have high strategic importance to the organization — such as enablement and risk, which participants placed in the upper-left corner — we currently aren’t very effective.

Obviously, we want to move the latter from the upper-left to the upper-right over time.

Top Challenges for a Self-Improvement Agenda

Unsurprisingly, workshop participants identified risk and enablement as their biggest challenges, along with enhanced visibility, which makes a positive contribution to both. For several examples of the initiatives that are being implemented or considered to help improve these three areas, the full research report, titled “Flash Forward: Self-Improvement Agenda for Security Leaders,” is freely available.

Perhaps the most important takeaway from these workshops is the confirmation that the next generation of security leaders needs to bridge the gap between technology and business. Deliberate, continued progress down this path should be part of the self-improvement agenda that CISOs set for their organization for 2015 and beyond.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today