Cybersecurity Readiness As a Business Value

Information technology and operational technology have become critical business enablers for today’s companies. As far back as two decades ago, organizations were realizing that these areas had the potential to be much more than optional support elements.

“In a fundamental shift in the focus of big-ticket IT investments, senior executives now demand that IT investments actually build capabilities rather than just improve ongoing operations. Organizations are discovering that more of their companies’ ability to achieve competitive advantage hinges on delivering critical-path IT,” noted two executives from Booz and Company in an article originally published in 1999.1

With this new focus came new resource requirements and security concerns that didn’t follow the traditional business mappings associated with tangible equipment or physical production lines. The speed, agility, and near limitless possibilities that information systems bring to the market are the very things that make it difficult to bound. In its essence, information technology is not an end in itself, but a means to achieve organizational goals.2 Accordingly, cybersecurity has moved from being a solution approach to a strategic component of a company’s traditional business value model.

Driven by powerful digital forces, disruption, and rapid-fire innovation, every company is now a technology company.3 Cybersecurity has a critical role in protecting not only IT assets, but also intellectual property, sensitive customer data, marketplace presence, and brand reputation. In addition, business leaders are demanding greater innovations and a larger market presence that leverages technology. This often involves third-party solutions or untrusted external networks that introduce unknown or unmanaged risks.

Business leaders look to the chief information security officer (CISO) to help determine the proper cybersecurity investment for the best return in support of business objectives and protecting the corporation’s tangible and intangible assets (reputation and brand). As noted in a Cisco Blog from 2016, organizations seeking to be market leaders consider cybersecurity a “strategic advantage that not only protects business value, but enables new business value.”4 Organizations that do it well have a competitive advantage.

Ongoing tension remains, however, between the CISO and other organizational leaders when it comes to quantifying and justifying cybersecurity budgets. This disconnect stems from the different perspectives and drivers of each party. Cybersecurity programs are often binary and inversely measured in terms of the number and impact of breaches incurred. The primary focus of most CISOs is on prevention at all costs. They are not accustomed nor encouraged to address cybersecurity in terms of business goals. Likewise, most non-IT stakeholders do not consider cybersecurity a contributor to the overall product. They see cybersecurity as a sunk cost, not as an investment or a component of competitive advantage. 

One solution to this issue is to develop a common framework that incorporates both parties’ concerns—one that leverages risk management principles used in cybersecurity and business alike. A successful framework must incorporate cybersecurity as part of the organization’s goals. It should also promote the inclusion of corporate business strategies as part of cybersecurity risk management and decisions.

Understanding the Challenges

Most organizations do not have a clear understanding of where cybersecurity fits, having associated cybersecurity only with IT. However, cybersecurity differs from traditional IT by enough that technology-oriented return on investment (ROI) analyses do not work adequately. While IT provides resources to support the mission effectively and efficiently, cybersecurity is systemic to the organization, focusing on assets that exceed the boundaries of information technology. This positions cybersecurity more as a business enabler and less as a service provider compared to IT support services. 

Another challenge of aligning cybersecurity with conventional business parameters involves the intrinsic nature of cybersecurity itself. While one can count the number of endpoints, systems, and network endpoints, it is difficult to measure cybersecurity in a tangible way. It is difficult for even the experienced observer to assess the quality and extent of a solution’s capability simply from vendor product briefings. This situation often leads to the establishment of pilots and proof-of-concepts that delay full-scale deployments.

Meanwhile, the risk management approach to cybersecurity adds another layer of complexity: A solution may be perfect for a system in one environment, but unacceptable for an identical system in another operational environment.

These two challenges, coupled with no standard frames of reference between stakeholders, often lead to miscommunications, inconsistent measures, and lack of a common understanding about cybersecurity implementation.

Viewing Cybersecurity as a Business Value

All organizations have a set of values that support their strategic vision. These values are sometimes referred to as “business values” because they often drive critical business decisions.  While each organization defines its own set of business values, most have some variant of values that address mission objectives, financial security, and reputation. In addition, it is understood that a loss within one or more core elements would have a direct impact on the overall business.  Likewise, a gain within these core elements would be viewed as value to the business. Once a set of values is established, operational activities can be prioritized5 based on their relevance to and influence on business values. 

Within an organization’s strategic vision, business markets are becoming increasingly reliant on information technology (IT) and operational technology (OT).6 With this growth, the importance of protecting IT, OT, and sensitive data has moved from a best practice to a business driver.  Cybersecurity has an intrinsic value to mission, finances, and reputation. A cyber loss can have direct impacts on business objectives. Therefore, cybersecurity activities should be prioritized in the same manner as other organizational activities as they relate to business impact. Indeed, by incorporating “cybersecurity value” as a core business component, organizations can prioritize cybersecurity activities just as they would other business activities.

In order to bridge the gap between technical implementation and executive integration, it is important to have a common framework that aligns with each party’s perspectives and provides a mapping between them. Such a framework establishes a common lexicon, defines terms, and captures relationships. A number of frameworks currently in use, including those of the National Institute of Standards and Technology, are technology/risk driven. Although effective, they do not promote the idea of using cyber solutions to create a competitive advantage. 

We propose a new framework—the cyber business value framework—to be used in conjunction with the current framework. The new framework illustrates how cybersecurity value relates to a larger business strategy. It can be viewed as a competitive advantage and as a force multiplier supporting other business-related values. Through the cyber business value framework, shareholders, stakeholders, and implementers can focus their interactions on the relevance of a solution, strategy, or offering in a common and consistent way. Cyber value not only protects the organization’s digital assets, but is also an operational enabler for other business values: mission, financial, and reputational. Cyber value can be viewed as the organization’s ability to support business objectives by adapting cybersecurity efforts.  

The cyber business value framework, shown in Figure 1, illustrates how cybersecurity efforts create cyber value for the organization. It proposes that business decisions are based on established priorities, current capabilities, and the desired end-state. Using this framework, companies can align and map cybersecurity efforts to the organization’s business values. Each element of the framework provides a critical component that collectively defines the organization’s “cyber value.” (Elements are defined in greater detail in the Appendix.)

FIgure 1

By aligning cybersecurity activities under the major elements of the cyber business value framework, an organization can gain a better perspective on how those activities interrelate and support overall business values. Discussions can be made more productive if the impact of a solution, activity, or service is examined from an implementation and business perspective.

In essence, cybersecurity value is defined as an organization’s overall commitment to or readiness for reducing the likelihood and severity of a cybersecurity event. It consists of two critical elements: cyber intelligence and cybersecurity strategic alignment. In other words, activities that raise the cyber intelligence of an organization’s cybersecurity program or increase the understanding of potential threats raise the overall cybersecurity value for the organization.  Cybersecurity value equates to an organization’s cybersecurity readiness.

In order to achieve cyber business value, an organization must achieve mastery in the areas of asset management, hygiene, and resilience: its “cybersecurity posture.” These three areas define an organization’s commitment to cybersecurity. They are the foundation for creating an organization’s business value—and possibly helping the organization achieve a distinct competitive advantage. This requires the organization to have 1) high fidelity in the knowledge of what constitutes an asset or what is on a network, system, or resource; 2) the ability to deter cybersecurity incidents through measured management of assets, configuration, and access; and 3) the ability to withstand and recover rapidly from a disruption. (Variables that describe pre-incident preparedness, detection capabilities, and post-incident response and recovery capabilities are used in the calculation of cybersecurity resiliency.)

In addition, the cyber culture must be mature enough to ingest the value created by the posture.  Cybersecurity culture is the ability of an organization to integrate cybersecurity
activities and habits within its normal operations and business strategies. It is based on the commitment of resources, assignment of appropriate authorities, expressed value by leadership, and incorporation of cybersecurity practices within business operations. It is reflected in an organization’s efforts in

  • Maintaining an employee workforce that is cybersecurity aware and supports the cybersecurity objectives.
  • Maintaining a cyber workforce that is skilled in implementing security solutions as well as in detecting and responding to cybersecurity incidents.
  • Securing the support of senior leadership in awareness, executive-level commitment, and implementation.

Cybersecurity culture is the measure of how well cybersecurity is integrated in the collective consciousness of the organization. It goes beyond the expertise and capability of the cybersecurity workforce. It includes leadership’s commitment—in action, words, and deeds—to promote, encourage, and turn cybersecurity strategies into organizational practices. This includes empowering and making all employees accountable. All these components are required to create a cyber program that contributes, enhances, or—even better—creates business value. 

Whereas cybersecurity posture is an assessment of an organization’s cybersecurity capabilities from an implementation perspective, cybersecurity strategic alignment is the organization’s commitment to cybersecurity based on its capabilities. While cybersecurity posture measures how well an organization manages assets, keeps up-to-date with limited exposure, and is able to detect, respond, and recover from an event, cybersecurity strategic alignment includes not only the technical capabilities but also the human commitment of leadership and the workforce.

Achieving a high level of cybersecurity strategic alignment enables implementation of an effective cybersecurity program. It is dependent on the organization’s cybersecurity posture and overall cybersecurity culture. For example, having a strong cybersecurity posture but lacking the capability, will, or commitment to implement cybersecurity would result in a low level of cybersecurity strategic alignment. A high level of alignment, however, creates an opportunity for the organization to access and use cybersecurity intelligence. 

Cybersecurity intelligence is an organization’s ability to remain aware of existing or new threat vectors that may affect business objectives. For a threat to make an impact, a threat actor must be able to exploit a vulnerability. Cybersecurity intelligence helps limit exposure by collecting intelligence on general and specific threats, as well as intelligence on known or potential vulnerabilities within the organization. 

Understanding the cyber business value framework has an additional value: It permits the assessment of an organization’s current state within the framework. By understanding their current state within the framework, organizations can focus on improving the components that create business value. They can, in essence, establish a “thumbprint,” or starting point, and reassess on a continual basis until they achieve their desired state. (Assessment criteria are provided in the Appendix.)

Assessment and Cybersecurity

Thumbprint

Some organizations may already have measures in place that will help provide an assessment.  These organizations may choose to use their own assessment criteria, augment them with those listed in the Appendix, or develop their own criteria based on their business objectives. In all cases, assessing the elements within the cyber business value framework will provide a common perspective for organizational leaders, managers, and implementers when they meet to discuss, collaborate, strategize, and plan.

Figure 2 illustrates a cybersecurity thumbprint for a sample company. In this example, the theoretical organization is compared to the hypothetical industry average. From the thumbprint, the organization can see that it is outperforming the community in asset management, leadership commitment, employee awareness, and cybersecurity workforce. If the organization is considering investing more in the program, it may want to examine solutions that will improve cybersecurity hygiene or threat intelligence before investing more in employee awareness. 

Figure 2

All organizations would like to reach the highest level of assessment in all categories. In terms of implementation that is not always feasible or cost effective, but the cybersecurity thumbprint helps determine where to focus on improvement. 

The thumbprint depicts the organization’s assessment across the constructs of the cyber business value framework. Organizations should first invest in the lower elements of the framework: asset management, cybersecurity hygiene, and cybersecurity resilience. Mastery must be achieved in these levels in order to fully utilize cyber intelligence and cybersecurity strategic alignment and provide business value. Additional insight can be gained when an organization is compared against an industry norm or competitors.

A valuable aspect of the thumbprint is the ability to assess and analyze proficiency in the framework elements by business unit. By understanding proficiency differences in a certain business unit, the CISO and senior management team can create a landscape view of the organization, permitting investments in weak areas and leveraging capabilities in strong ones across the enterprise.

Conclusion

Most organizations recognize the mission, financial, or reputational value of their operational investments. However, they struggle to consistently measure the ROI of their investments in cybersecurity. This difficulty is due partly to a natural tendency to view cybersecurity investments as solution-oriented necessities and not as strategic enhancements.

Using the cyber business value framework, organizations can align and map cybersecurity efforts to business values. Stakeholders, business leaders, and technical implementers will be able to identify, prioritize, and measure their cyber efforts. Different aspects of cybersecurity can be assessed with consistency and displayed through a cybersecurity thumbprint indicating cybersecurity value or readiness. The thumbprint can also be used to compare desired end-states, other business units, or industry averages to provide additional perspectives and assist in placing future investments.  



Notes

1. “The C.E.O.’s Information Technology Challenge: Creating True Value,” Charles V. Callahan and Joseph Nemec Jr., Booz and Company, 1999.  Available at  https://www.strategy-business.com/article/10234?gko=92881.

2.  “Toward a More Precise Concept of Information Technology,” J.A. Yannis Bakopoulos, MIT Sloan School of Management working paper, June 1985. Available at  https://dspace.mit.edu/bitstream/handle/1721.1/49301/towardmoreprecis00bako.pdf;sequence=1.

3. Tech Trends 2016: Innovating in the Digital Era (various authors), Deloitte University Press, 2016. Available at  https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/technology/lu_en_techtrends_lux_15042016.pdf.

4. “Turning Cybersecurity into a Strategic Advantage,” Ashley Arbuckle, Cisco Blogs, October 20, 2016. Available at https://blogs.cisco.com/security/turning-cybersecurity-into-a-strategic-advantage.

5. “How to Prioritize Your Company’s Projects,” Antonio Nieto-Rodriguez, Harvard Business Review, December 13, 2016. Available at https://hbr.org/2016/12/how-to-prioritize-your-companys-projects.

6. “IT/OP Convergence: Bridging the Divide,” Derek R. Harp and Bengt Gregory-Brown, NexDefense white paper (undated). Available at https://ics.sans.org/media/IT-OT-Convergence-NexDefense-Whitepaper.pdf.


Appendix 

Appendix-1

Appendix-2

Appendix-3

Appendix-4

Appendix-5

Appendix-6

Appendix-7



Stephany Head, Ph.D., has worked with the federal government and private industry in implementing enterprise risk management and corporate performance management programs for assessing large-scale IT investments. She also has supported global companies in the areas of strategic sourcing, supply-chain management, operational risk management, governance, policy development, and IT outsourcing.

Paul Cunningham has over 15 years of experience as a cybersecurity and risk management practitioner working in the federal government and industry. He has served in numerous leadership positions and has overseen the development and implementation of cybersecurity efforts within the Department of Energy, Department of Homeland Security, Department of Health and Human Services, and the Office of Management and Budget.