Economics of Security Part I: Translating Information Security Risks to Business Risk

In this two-part series, my colleague, Greg Day, VP & CTO EMEA and I will focus on making the business case for security solutions that will protect your organization.

One of the many challenges IT Security professionals face is translating the security risks of technologies into the business risks they pose to the company. This translation is critical to building buy-in from your business to fund security initiatives and ensure your projects are funded properly relative to the myriad other things your business is pursuing with its money.

But where should you start? I’ve found that the best place to start is by looking at the processes in the business that generates value. These are the parts of the business that a results-oriented manager will want to protect from threat. By describing security risks in terms of how critical business processes – and their subsequent value generation – could be disrupted, your concern will resonate better with management. Consider the total business value that process generates today – is it 15 percent of the business or 85 percent? Give it a dollar figure. Given your assessment of the likely threat actors and security risks, how much of that value could be destroyed? This is a simple measure of the possible direct or immediate loss that could be experienced – something management are often measured and rewarded on.

Next you can look at knock-on impacts – this too helps speak to the management incentives. If the security risk manifests and creates a specific and significant business impact, would the market, regulators or customers notice? Would the stock price of the company drop as a result? Most business leaders will have a significant and direct interest in market valuation as their remuneration is often closely linked to the company’s stock market performance. Similarly, ask what is the business impact if a security failure leads to a loss of customers, of transaction volume, or increased regulatory scrutiny? Could you face a class action suit?

Sometimes the link between the business value generated and the technology underpinning it is a little hazy, but any modern business process that creates value will leverage and create data. It might be your customer data, the “secret sauce” of your products, a manufacturing capability that ensures your product has the best quality, the output from your R&D team, or perhaps it’s the plans for your next new business. Whatever this data is, and how you depend on it in your business, ensuring it is protected from threats is the difference between success and failure for many companies. Often this data is what the attacker is after. From a business perspective, the reliance on this data to operate the business effectively is how you connect the security risk to the business risk.

What are the most important assets and data in your business that create real value? This is very specific to every business. Think like an attacker: if you were to attack your business, what information would you steal, and why? What could you monetize, use to gain economic advantage, or gain market share? You can assess the value of that asset to your company in terms of potential losses from the dependent business processes, and the value of that asset to an attacker. Then determine how much you should invest to protect against the risks from cybersecurity threats. By going through the process of understanding how data and IT assets are part of the value creation in your business, you actually create the story to help understand the business risk, because you construct the discussion starting from the business process first.

Sometimes the most valuable thing you have is access to your customers. If your customers are large companies, this might make you a springboard to attack a smaller company – and likewise for a larger company your greatest security risks could be exposure to the less security aware vendors in your operations and supply chain. Make sure to consider these scenarios when talking to your business. As larger organizations consider the risks in their supply chain, they will increasingly consider security requirements in MSAs and demand not just compliance but demonstrable security capabilities in their business partners. It is a logical extension of risk management thinking to consider the broader supply chain risks as part of overall business risk management, and this will drive many smaller businesses to invest in improved security capabilities.

More than half the organizations we surveyed do not regularly assess their information security investments in terms of their value relative to the business process they protect. My recommendation is to re-evaluate your investment plan annually, and ensure that your continued security investments are relevant to the threats your business faces. You might also consider using a risk framework like ISO27005 as a tool to help you manage this in a consistent way, to prioritize risks and corresponding investments.

To summarize: understand how and where your business makes its money, illustrate the dependency on technology and data, then explain security risks in terms of the business impact.

In the second part of this series, Greg will discuss how to measure the economic value of your cybersecurity solutions.