Value
Measuring cybersecurity value
But how can a company effectively measure its cybersecurity program and whether the actions taken add overall value? This is the question explored by Paul Proctor, VP and Distinguished Analyst at Gartner. Six years ago, he left his role as the Chief of Research for Risk and Security to join the finance team. “Now why would a security guy join the finance team? BECAUSE IT ALL COMES BACK TO MONEY AND VALUE!” he says, with emphasis.
Proctor observes that “Executive decision makers do not understand how cybersecurity supports their business outcomes and cybersecurity professionals are challenged to understand the business outcomes they support.” This is where?customer value management?can make all the difference. He explains that executives often are tempted to use metrics that do not reflect business value. For example, measuring the number of emails blocked each month does not measure value because the metric does not indicate?why?a number is high or low. A low number may reflect a month with fewer attacks while a higher number may indicate a company has been more effective in detecting cyberattacks.
Instead, Proctor says, “A value metric is one that we can invest in directly to change value delivery. In cybersecurity, that means an investment to improve the metric is an investment to improve a protection level.” He explains that cybersecurity metrics should:
Measuring the time it takes to patch vulnerabilities is one example of a critical value delivery metric. The reason? “We directly control it and an investment in changing it has demonstrable and measurable benefits to levels of protection. When you measure this, you have operationalized cybersecurity value delivery. Your metrics are a direct reflection of protection levels delivered. When they go up or down, so does value…and so does protection.”
Volumetric measurement
Human cost, management can compare the areas most targeted by cyberattacks with relative security investments to create a priority list for future cybersecurity expenditures. This data can also be used to assess cybersecurity risk to the bottom line.
XDR helps protect existing security investments in two ways: Mitigating the costs of siloed, disparate security solutions, and extending the value of security solutions at risk of obsolescence. The multivendor environment common in many organizations brings both noticeable and hidden costs. For example, silos created from security solutions that can’t communicate with each other automatically incur costs and time for manual integrations and causes employee burnout. XDR can break down silos by serving as a hub connecting all deployed solutions, normalizing data and mitigating integration costs.
XDR solution will show that investments are valuable, when a security incident is detected and doesn’t result in a breach
A first value cluster in relation to cybersecurity is that of security. Security can be understood in a number of more specific ways, pinpointing different more specific values that are part of this cluster, such as individual security or national security. In this cluster, I also locate the value of cybersecurity and a range of values closely related, or instrumental, to cybersecurity such as information security, and the confidentiality, integrity and availability of (computer) data
A second relevant value cluster is?privacy. This cluster contains, in addition to privacy, such values as moral autonomy, human dignity, identity, personhood, liberty, anonymity and confidentiality. Values in this cluster correspond to reasons (and norms), for example we should treat others with dignity, we should respect people’s moral autonomy, we should not store or share personal data without people’s informed consent, and we should not use people (or data about them) as a means to an end.
Backlink
Forward link