登录查看更多内容

How do you measure and communicate the value of cybersecurity investments?

由人工智能和领英社区提供技术支持

Cybersecurity risk assessment and mitigation are essential components of any IT strategy, especially in today's complex and dynamic threat landscape. But how do you measure and communicate the value of your cybersecurity investments to your stakeholders, such as senior management, board members, customers, and regulators? In this article, we will explore some of the key concepts and best practices for cybersecurity value measurement and communication, and how they can help you align your cybersecurity goals with your business objectives.

此文章中的业界达人

由社区从 5 条内容中精选。了解更多

Hanns-Christian Hanebeck

Supply Chain | Innovation | Next-Gen Visibility | Blockchain | AI & Optimization | Strategy

1 Define your cybersecurity value proposition

The first step in measuring and communicating the value of your cybersecurity investments is to define your cybersecurity value proposition, or how your cybersecurity activities contribute to your organization's mission, vision, and strategy. Your cybersecurity value proposition should be aligned with your business value proposition, or how your organization creates and delivers value to your customers and other stakeholders. For example, if your business value proposition is based on innovation, quality, and trust, your cybersecurity value proposition should reflect how your cybersecurity efforts enable and protect those aspects of your business.

添加您的观点

Hanns-Christian Hanebeck

Supply Chain | Innovation | Next-Gen Visibility | Blockchain | AI & Optimization | Strategy
举报内容
The value proposition for cybersecurity is very simple, in fact. Security is the absence of problems and as such it means that security enables a business to operate. This is at the most fundamental level of management. Communicating this isn't as easy, of course. You may ask whether you would let your people work without computers or without a proper environment and most executives and board members will likely tell you: Of course, not. Measuring the effectiveness of security investments necessarily needs to be based on what your threat matrix looks like. A good way to approach this is the use of white knights who attack your systems and tell you how they did it. Continuous improvement over long periods of time can then be measured.

已翻译

赞

2 Identify and prioritize your cybersecurity risks

The next step in measuring and communicating the value of your cybersecurity investments is to identify and prioritize your cybersecurity risks, or the potential negative impacts of cyber threats on your organization's assets, operations, and reputation. You can use various frameworks and methodologies to conduct a cybersecurity risk assessment, such as the NIST Cybersecurity Framework, the ISO 27001 standard, or the FAIR model. The key is to identify the most relevant and significant risks for your organization, based on your business context, objectives, and priorities. You should also consider the likelihood and severity of each risk, as well as the existing controls and gaps in your cybersecurity posture.

添加您的观点

Hanns-Christian Hanebeck

Supply Chain | Innovation | Next-Gen Visibility | Blockchain | AI & Optimization | Strategy
举报内容
Not to forget the economic consequences of successful attacks. Risk always needs to be seen in the context of what the harm and cost of attacks will be. This is not trivial, of course, and you need far-reaching agreement on your threat and consequence assessments is pivotal. We leverage the NIST Framework and it is very useful in this context.

已翻译

赞

3 Select and implement your cybersecurity solutions

The third step in measuring and communicating the value of your cybersecurity investments is to select and implement your cybersecurity solutions, or the tools, processes, and practices that you use to mitigate your cybersecurity risks. Your cybersecurity solutions should be based on your risk assessment and your cybersecurity value proposition, and should be aligned with your IT strategy and architecture. You should also consider the costs, benefits, and trade-offs of each solution, as well as the metrics and indicators that you will use to monitor and evaluate their performance and effectiveness.

添加您的观点

Hanns-Christian Hanebeck

Supply Chain | Innovation | Next-Gen Visibility | Blockchain | AI & Optimization | Strategy
举报内容
Well said. There are a myriad of tools out there and attack vectors vary greatly over time. You see new exploits, zero days and breaches every day. This necessitates a constant evaluation of tools at your disposal. It comes down to creating a portfolio of cybersecurity measures and tools, but should also include specific and actionable contingency plans as well as extensive employee training across all levels of the organization. The best tools won't help much if your organization cannot respond quickly and decisively. Last, it is important to ensure that your tools do not impede your ability to defend against treats and attacks. You need to ensure that they all work well together.

已翻译

赞

4 Measure and report your cybersecurity outcomes

The fourth step in measuring and communicating the value of your cybersecurity investments is to measure and report your cybersecurity outcomes, or the results and impacts of your cybersecurity solutions on your organization's assets, operations, and reputation. You should use a combination of quantitative and qualitative measures, such as key performance indicators (KPIs), key risk indicators (KRIs), return on investment (ROI), cost of risk (COR), customer satisfaction, and stakeholder feedback. You should also use a consistent and transparent methodology and framework to calculate and communicate your cybersecurity outcomes, such as the NIST Cybersecurity Measurement Framework, the ISO 27004 standard, or the Balanced Scorecard.

添加您的观点

Hanns-Christian Hanebeck

Supply Chain | Innovation | Next-Gen Visibility | Blockchain | AI & Optimization | Strategy
举报内容
Again, this is very hard to do since the best possible outcome is that nothing bad happens. You can measure how well you respond to attacks or that you have avoided attacks similar organizations may have experienced, but at the end of the day there needs to be trust that the cybersecurity team is doing its job. How do you measure the absence of problems? In my humble opinion, it is far better to measure the progress your organization makes over time and how it responds to attacks by white knights or actual attackers. Balanced scorecard is an interesting idea in this context.

已翻译

赞

5 Communicate your cybersecurity value story

The final step in measuring and communicating the value of your cybersecurity investments is to communicate your cybersecurity value story, or the narrative that explains how your cybersecurity activities support and enhance your organization's value creation and delivery. Your cybersecurity value story should be tailored to your audience, such as senior management, board members, customers, and regulators, and should use clear, concise, and compelling language and visuals. You should also highlight the achievements, challenges, and opportunities of your cybersecurity program, and how they relate to your organization's strategic goals and priorities.

添加您的观点

Hanns-Christian Hanebeck

Supply Chain | Innovation | Next-Gen Visibility | Blockchain | AI & Optimization | Strategy
举报内容
Absolutely. This is absolutely key and cyber security is an ongoing initiative that is never done. Creating an awareness around this takes many forms ranging from discussions about successful attacks on similar organizations to education about the consequences.

已翻译

赞

IT Strategy

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How do you measure and communicate the value of cybersecurity investments?

1

2

3

4

5

1 Define your cybersecurity value proposition

2 Identify and prioritize your cybersecurity risks

3 Select and implement your cybersecurity solutions

4 Measure and report your cybersecurity outcomes

5 Communicate your cybersecurity value story

IT Strategy

给文章评分

感谢您的反馈

更多IT Strategy相关文章

更多相关阅读内容

How do you measure and communicate the value of cybersecurity investments?

1

2

3

4

5

1 Define your cybersecurity value proposition

2 Identify and prioritize your cybersecurity risks

3 Select and implement your cybersecurity solutions

4 Measure and report your cybersecurity outcomes

5 Communicate your cybersecurity value story

IT Strategy

给文章评分

感谢您的反馈

查看其他技能