How to Communicate the Business Value of a Cybersecurity Program

How to Communicate the Business Value of a Cybersecurity Program

Author: Tim Sadler, CEO and co-founder, Tessian

Communicating cybersecurity ROI to a company’s leadership team is no easy task. Security leaders are faced with placing a value on things that haven’t even happened, like data breaches, service disruptions and loss of customers. They need to justify security investment and acquire budget to protect organizations from the growing list of threats that could impact the future of the business.

Then there’s the problem of speaking a different language. Cybersecurity metrics are often communicated in complex, technical language that is difficult for the CEO or other business functions to understand. But translating cyber risk into business risk has never been more important, as many organizations face significant budget cuts amid COVID-19.

A comprehensive cybersecurity program is a business-critical function. With three tips, CIOs and CISOs can better communicate cybersecurity ROI by stressing why these programs are a must-have for their organizations, demonstrating the business value of security solutions and building a strong security culture.

Translate Cybersecurity Solutions Into Business Enablers

Cybersecurity should not be treated as a siloed department, but rather an integrated part of overall business functions. One way to communicate the far-reaching value of a cybersecurity strategy is to walk leadership through the consequences of a data breach — loss of customers, data, revenue, intellectual property and more — as these consequences directly affect a business’s bottom line. By connecting the dots for non-IT executives, they’ll be able to better acknowledge the importance of strong security practices.

Cybersecurity solutions can also become a unique selling point for the business, rather than being limited to prevention and remediation. Amid regulations like HIPAA, CCPA, and GDPR  that dictate how organizations handle sensitive data, a cybersecurity framework can enable the business by being a competitive differentiator. By investing in tools and personnel and being transparent about how your organization protects data, the company can actually bolster credibility and trust amongst prospects, existing customers and clients.

Focus on Metrics Unique to Your Organization

Evidence is a key component of communicating ROI, but what’s most important is using the right proof points and quantifying specific threats and overall risk for an organization.

Instead of using general statistics about overall risk, CISOs and CIOs can use security tools to calculate the potential exposure of the business itself based on organizational data. It’s also helpful to look at the specific types of attacks or phishing scams that target the particular industry. Security news and threat-intelligence-sharing organizations can be used to gather this information. Using data that is more specific to the organization will make the risk more tangible and the need for a solution more urgent.

Simulation tools are also effective for demonstrating the likelihood of a successful attack. Similarly, hiring a penetration tester can spotlight specific network vulnerabilities and justify investment.

Create a Positive Security Culture

Engaging the whole organization to help them understand the value of a cybersecurity program is not easy. Technical risks are often difficult to translate across departments. Meanwhile, policies and procedures that ensure good security habits can be seen as an impediment to employee productivity.

This is why a positive security culture is so important. By using techniques like gamification, positive reinforcement, or interactive content like videos and podcasts to promote security practices, CISOs can engage fellow employees and get more buy-in from executives. These strategies help everyone, regardless of department or level of seniority, understand the risks and responsibilities regarding security and how each employee plays a crucial role.

One major benefit of a positive security culture is that it creates in-house evangelists who can demonstrate the value of cybersecurity. It will also empower security-aware employees to become the organization’s greatest cybersecurity asset. Simple human error causes the majority of security breaches. Getting employees invested in security contributes to overall data protection and cybersecurity objectives.

Ultimately, communicating the value of cybersecurity depends on translating cyber risk into business risk, and making security a guiding principle for your larger organization. With risks and challenges related to remote working becoming the new normal for many organizations, it’s critical that IT leaders engage all employees in shared cybersecurity awareness.

About the Author

tim sadler authorTim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email like data exfiltration, accidental data loss and phishing. Tim has since built the company to over 160 employees in offices in San Francisco and London, and raised over $60m from leading venture capital funds. Tim was listed on the Forbes 30 Under 30 list in technology.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.