Tangible business metrics are key but hard to find
Cybersecurity is rising as a key issue on the radar of virtually all organisations. According to a recent AT Kearney report, cyber-attacks have been topping executives’ lists of business risks for three straight years. This concern is also driven by security and privacy becoming increasingly valued by customers, and by regulators stepping into the topic (GDPR in Europe, California Consumer Privacy Act of 2018).
Beyond this, it is now becoming crystal clear that cybersecurity – beyond good practice and good ethics – is quite simply good business. As a recent Cisco study made clear, cybersecurity will help fuel (and protect) an estimated $5.3trillion in private sector digital Value at Stake in the next 10 years. This is the kind of numbers boards cannot afford to overlook.
Tangible estimates like this one, however, are painfully rare in the cybersecurity space. Indeed, concepts relating to cybersecurity are both multi-faceted and very elusive – making them notoriously hard to measure. Furthermore, good cybersecurity is defined by the absence of breaches or losses. Observing what is not happening is a challenging – if interesting – endeavour.
A stringent example of this measurement problem can be found in a recent BCG research on Total Societal Impact. To their credit, cybersecurity is mentioned fairly extensively throughout the report as a key component of a firms’ ESG (Environmental, Social & Governance) strategy – although not consistently across industry sectors.
The issue arises when it comes to quantifying that intuition. The BCG, for example, reports finding a significant link between “Securing business and personal data” and a firm’s valuation. Looking into the appendix of the report, the problem lies in the fact that this concept seems to be operationalized through a series of somewhat vague dummy (0/1) variables. Examples of such metrics include whether “measures to ensure customer security” have been taken, or whether an information security management system has been implemented.
This is not only overly-simplistic – hiding key nuances in levels of cybersecurity maturity across firms – but it also encourages “tick-in-the-box” approaches to cybersecurity which have plagued the field for ages. Tellingly, no quantitative results are actually presented for cybersecurity in the report.
This lack of details around the quantification of the tangible value of following cybersecurity best practices is a problem. In fact, we believe it is an important reason why the issue is still shifting in and out of most boards’ radars. Gut feeling alone does not make for a strong-enough case: Top executives are increasingly asking “Show me the data”.
Beyond the fact that measuring success in the cybersecurity is very hard, another issue is the stringent lack of meaningful data.
This is a really big problem in the field of cyber insurance, for example, which struggles to fit its traditional actuarial models around the scarce data they can get a hold of. The reason for that is quite simple: most organizations are still very reluctant to share what they perceive as highly sensitive cybersecurity data (assuming they even have them to start with).
We also talked about this problem in the context of training defensive AI for cybersecurity, but this scarcity of reliable InfoSec data hinders generally much-needed research and results.
Being able to show key stakeholders in business terms what exactly is the tangible value-added of cybersecurity will be key in finally anchoring the topic at the right level of organizations.
Money – and data – talk. And boards usually listen. But we’re not there yet and cybersecurity looks definitely like a promising path for data-driven research.
The Business Transformation Network has posted this article in partnership with Corix Partners
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.