Tangible business metrics are key but hard to find
Cybersecurity is rising as a key issue on the radar of virtually all organisations. According to a recent AT Kearney report, cyber-attacks have been topping executives’ lists of business risks for three straight years. This concern is also driven by security and privacy becoming increasingly valued by customers, and by regulators stepping into the topic (GDPR in Europe, California Consumer Privacy Act of 2018).
Beyond this, it is now becoming crystal clear that cybersecurity – beyond good practice and good ethics – is quite simply good business. As a recent Cisco study made clear, cybersecurity will help fuel (and protect) an estimated $5.3trillion in private sector digital Value at Stake in the next 10 years. This is the kind of numbers boards cannot afford to overlook.
Tangible estimates like this one, however, are painfully rare in the cyber security space. Indeed, concepts relating to cybersecurity are both multi-facetted and very elusive – making them notoriously hard to measure. Furthermore, good cybersecurity is defined by the absence of breaches or losses. Observing what is not happening is a challenging – if interesting – endeavour.
A stringent example of this measurement problem can be found in a recent BCG research on Total Societal Impact. To their credit, cybersecurity is mentioned fairly extensively throughout the report as a key component of a firms’ ESG (Environmental, Social & Governance) strategy – although not consistently across industry sectors.
The issue arises when it comes to quantifying that intuition. The BCG for example reports finding a significant link between “Securing business and personal data” and a firm’s valuation. Looking into the appendix of the report, the problem lies in the fact that this concept seems to be operationalized through a series of somewhat vague dummy (0/1) variables. Examples of such metrics include whether “measures to ensure customer security” have been taken, or whether an information security management system has been implemented.
This is not only overly-simplistic – hiding key nuances in levels of cybersecurity maturity across firms – but it also encourages “tick-in-the-box” approaches to cybersecurity which have plagued the field for ages. Tellingly, no quantitative results are actually presented for cybersecurity in the report.
This lack of details around the quantification of the tangible value of following cybersecurity best practices is a problem. In fact, we believe it is an important reason why the issue is still shifting in and out of most boards’ radars. Gut feeling alone does not make for a strong-enough case: Top executives are increasingly asking “Show me the data”.
Beyond the fact that measuring success in the cybersecurity is very hard, another issue is the stringent lack of meaningful data.
This is a really big problem in the field of cyber insurance, for example, which struggles to fit its traditional actuarial models around the scarce data they can get a hold of. The reason for that is quite simple: most organizations are still very reluctant to share what they perceive as highly sensitive cybersecurity data (assuming they even have them to start with).
We also talked about this problem in the context of training defensive AI for cybersecurity, but this scarcity of reliable InfoSec data hinders generally much-needed research and results.
Being able to show key stakeholders in business terms what exactly is the tangible value-added of cybersecurity will be key in finally anchoring the topic at the right level of organizations.
Money – and data – talk. And boards usually listen. But we’re not there yet and cybersecurity looks definitely like a promising path for data-driven research.
I have not checked in here for a while as I thought it was getting boring, but the last several posts are good quality so I guess I will add you back to my everyday bloglist. You deserve it my friend 🙂
Well I really liked reading it. This information provided by you is very useful for proper planning.
Thank you for sharing with us, I conceive this website really stands out : D.
Very interesting subject, thanks for putting up. “Experience a comb life gives you after you lose your hair.” by Judith Stern.
Some really fantastic work on behalf of the owner of this website , utterly great content.
You have brought up a very good details , regards for the post.
Great post. I was checking continuously this blog and I’m impressed! Extremely useful info specifically the last part 🙂 I care for such information a lot. I was seeking this certain info for a very long time. Thank you and good luck.
Great write-up, I¦m regular visitor of one¦s blog, maintain up the nice operate, and It is going to be a regular visitor for a long time.
My brother suggested I may like this website. He was once entirely right. This post actually made my day. You can not imagine simply how so much time I had spent for this information! Thanks!
My brother suggested I would possibly like this blog. He was entirely right. This submit truly made my day. You can not imagine just how so much time I had spent for this info! Thanks!
I regard something genuinely special in this site.
You are my inspiration , I possess few blogs and infrequently run out from to post .
I have learn several excellent stuff here. Certainly worth bookmarking for revisiting. I surprise how a lot effort you set to create the sort of wonderful informative web site.
hello!,I like your writing very a lot! percentage we communicate extra about your post on AOL? I require a specialist on this area to resolve my problem. May be that is you! Taking a look ahead to see you.
You have brought up a very good details, thankyou for the post.
An interesting discussion is worth comment. I think that you should write more on this topic, it might not be a taboo subject but generally people are not enough to speak on such topics. To the next. Cheers
You are a very capable individual!
You actually make it appear so easy with your presentation but I in finding this matter to be really something that I think I’d by no means understand. It seems too complicated and extremely vast for me. I’m having a look forward to your next publish, I?¦ll try to get the dangle of it!
Hello! I could have sworn I’ve been to this blog before but after browsing through some of the post I realized it’s new to me. Anyways, I’m definitely happy I found it and I’ll be book-marking and checking back frequently!