Cybersecurity ROI: How to align protection and performance for the business

2


7

coworkers having a discussion

Among the many competing priorities for a CIO overseeing digital transformation initiatives, one consistently rises to the top: protecting the business.

That’s a directive coming straight from the C-suite and board of directors, who want to see evidence of improved cybersecurity management amid growing cyber risks and increasing regulatory pressures. An Ernst & Young LLP analysis concludes that corporate directors need to double down on closing the gaps in cybersecurity defense and disclosure practices.

As a result of these pressures, cybersecurity has emerged as a business performance metric, with CIOs and chief information security officers (CISOs) expected to measure and report on their organization’s state of “cyber readiness” to an increasingly cyber-savvy leadership team. The EY report found that the rate of providing cybersecurity management insights to the board has risen from 54% in 2018 to 74% in 2022, but some companies continue to lag in their cyber strategies.

CIOs and CISOs should see this as an opportunity. Here are four ways to proactively address cybersecurity and measure your organization’s success.

1.    Elevate the tone

CEOs and boards are asking harder questions about cybersecurity, thanks to near-daily reports of security incidents and the fallout of successful cyber attacks — including financial and business disruption.

“Boards are getting smarter on this topic,” said Mazen Baroudi, EY Americas Technology Strategy Leader. “They know what questions to ask.” Those questions include four that CIOs and CISOs should always be prepared to answer:

  • Is our organization putting the right controls in place to help prevent future attacks?
  • How are we testing our defenses?
  • What evidence do we have of attempted denial-of-service attacks or others?
  • How were attacks addressed?

“Boards want CIOs and CISOs to demonstrate how quickly their teams and systems can identify, respond to, mitigate and prevent damage from attacks,” said Elizabeth Mann, EY Americas Technology Consulting Strategy and Execution Leader.

The relationships CIOs and CISOs establish with each other, as well as with the board and senior leadership, must be built on trust. Trust is aided by consistent open communication. Often that requires the CISO to have a direct line to senior leadership.

“Allowing the CISO into the boardroom on a regular basis means that their agenda isn’t filtered through another executive,” Mann said. “Then you can see a healthy balance between the CIO and CISO. If the CIO-CISO partnership is healthy, it's powerful and provides strategic advantage.”

2.    Determine the business value at risk

IT and security leaders may find it challenging to answer questions from the board because cybersecurity performance is not a one-size-fits-all measurement.

“The only true success measure is not experiencing a cyber attack,” Mann said. “Yet that’s nearly impossible. The biggest and brightest of enterprises have had cyber attacks that have flattened them — not because they were being irresponsible, but because the attackers are well organized, well funded, very creative, very patient and tend to have some level of success.”

CIOs and CISOs should measure cybersecurity in terms of business value at risk. “We have to prioritize and measure cybersecurity against the things that matter most to the business,” said Mann.

One approach is to reconcile the value at risk in dollar terms against the board’s risk tolerance, including the efficacy of cyber insurance coverage.

Another quantifiable metric involves the impact of an attack on employees and systems in terms of business downtime and the effect on productivity. For example, what would be the financial impact of a network outage due to a ransomware attack? Consider not just lost revenues, but also the staffing costs to recover from the incident.

“These measurements can also be used as an opportunity to prioritize funding and as a driver for investments,” Baroudi said.

When determining business value, other important steps include:

  • Deciding which risks represent the greatest exposure for your organization
  • Optimizing investments against those risks
  • Building muscle memory to best contain an attack
  • Prioritizing which applications and systems must be recovered first when an attack occurs

3.    Optimize controls and leverage analytical tools

In practice, cyber readiness is a combination of bottom-up and top-down tactics — from security hygiene to business-led analytics — as well as collaboration in the C-suite. This is becoming increasingly important, given new disclosure rules being proposed by the SEC, as well as from Congress.

“Consider whether you’re doing the right things at the bottom of the pyramid to fulfill fiduciary responsibility, while building from business-led threat intelligence at the top,” Mann said. It’s important, she added, to quantify risk, optimize controls to mitigate those risks and then measure the quality of those controls.

Third-party risks, from partners, vendors and even customers, should be part of this assessment. This requires working with the C-suite to rank the elements of the organization’s ecosystem that matter most. The CIO and CISO can then prioritize resource allocation against the high-risk/high-priority areas, Mann said.

For example, explore ways to leverage analytical solutions that provide risk insights to the board in terms of the likelihood and impact of security events. Also important is gaining an understanding of the processes that business managers use to identify, assess and oversee potential risks in the supply chain.

“Resiliency is the key metric,” Mann said. “You should be able to demonstrate the ability to detect and mitigate incidents, including what happens first, second and third during an attack.”

4.    Remain diligent

Digital transformation efforts, new regulations and the ever-evolving threat landscape require that CIOs and CISOs continue collaborating with each other and key business stakeholders on what works and what doesn’t.

For example, conducting response-and-recovery simulations on an ongoing basis to compare capabilities over time not only helps with resiliency, but also prepares IT and security leaders to answer the board’s “how are our defenses?” question.

“A mature organization is actively tracking the threat landscape and using intelligence to analyze cyber risks,” Mann said.

The bottom line

These four strategies will enable the CIO and CISO to more confidently relate their organization’s state of cyber readiness to the board.

“At the end of the day, the onus is on the CISO and CIO around enterprise security and resiliency,” Baroudi said. “There is a heightened need for them to work together to measure their organization’s cybersecurity effectiveness.”

Learn more about actions CIOs and CISOs must take to tackle today’s most pressing security challenges.

The views expressed by the author are not necessarily those of Ernst & Young LLP or other members of the global EY organization.