We keep hearing about how boards now regard cyber security as a business risk, yet it’s often still treated as a problem to be solved with technology. Richard Addiscott from Gartner explores.
Leaders think of security almost like magic and security people as wizards, who cast spells to protect the organisation and keep it out of the headlines. If something goes wrong, they blame the wizards.
Cyber security is a business decision, but what does that mean to treat it that way? Lack of executive understanding puts organisations at risk of making poor decisions around security investments. One of the mistakes they make is trying to spend their way out of a cyber security problem.
Cyber security is now at the top of most organisations’ technology investment lists. Seventy-three percent of Australian and New Zealand CIOs said they will spend more on cyber security this year than they did in 2021, as greater regulation and threats increase leadership focus on security, according to Gartner’s annual global survey of CIOs and technology executives.
There is no such thing as “perfect” security. Businesses must constantly balance cyber security risks and investments against business value and outcomes. The goal should be to build a sustainable program that balances the needs to protect with the needs to run the business.
This balance can be achieved by making decisions based on the amount that organisations spend on cyber security and the value delivered in a business context. Measuring and reporting cyber security value delivery changes the focus of cyber security investment and board reporting.
Focusing on value also clearly shows the benefit of spending more, or less, on cyber security and aligns it to business outcomes. Inevitable attacks and incidents are absorbed, while maintaining defensibility with stakeholders. At the same time, it engages business unit owners directly on cyber security readiness for their business outcomes.
Establish protection-level agreements
To treat cyber security as a business decision, organisations must stop investing in security tools and start investing in outcomes.
Technology and business drivers should influence how much is spent on a cyber security program and for what level of protection. This is best captured in a protection-level agreement between the IT team and business leaders, which sets out the desired security and business outcomes, and how they will be addressed by a set of controls that are consistent, adequate, reasonable and effective.
A protection-level agreement is a business decision to invest in a measurable level of protection at a defined cost – for example, 30-day patching will cost the enterprise $1 million a year. It facilitates decisions between executives and IT/security decision-makers.
Managing protection-level agreements materially changes cyber security governance to position non-IT executive decision makers at the centre of how much security the organisation wants and how much it is willing to spend. These agreements are both business decisions and concrete assertions of risk appetite, which change the nature of success and failure in cyber security. If a security incident occurs within the tolerances agreed to, then it’s the result of a business decision, not the failure of a control.
By moving toward managing business drivers and controllable outcomes, executives can articulate their desired levels of protection in terms they fully understand, rather than in cyber security terminology. Their focus will be in the context of business operations, regulatory demands, shareholders, cyber insurance eligibility, benchmarks on what others are doing or observable business impact.
By discussing protection-level agreements in these terms, executives can better understand and help set desired protection levels that can be controlled through investment. It also replaces overly simplified concepts such as high and low threat risks, with a construct based on protection levels and cost to protect.
In this context, cyber security is now a business decision – the organisation is either hitting the operational targets that it has set, or it isn’t – just like every other business decision and investment.
Evolve cyber security thinking
Cyber security is a choice. Organisations get to choose their levels of protection and their investments to achieve a balance between the need to protect and the need to run the business. It’s time to evolve the way cyber security is measured and reported to reflect levels of protection for key business outcomes.
Richard Addiscott is a senior director analyst at Gartner. He advises information and cyber security leaders on improving security and risk management maturity. Richard will be the conference chair of the upcoming Gartner Security & Risk Management Summit – 21-22 June 2022 in Sydney.