Executives and key business stakeholders consistently question the need for cybersecurity staff, processes, and technologies. I've sat through many meetings where a cyber professional pulls up a slide and shoots out a six-figure funding request for some tool that is supposed to be an end-all-be-all cybersecurity solution. The business professionals immediately site the proposal as being unfounded, and the technologist holds firm to the claim that they are merely attempting to reduce the complexity of the cyber problem through technology.

After all, isn't automated cyber is the way to go? Yes, I'm joking! 

The cyber value proposition is an endless debate, leading to countless discussions around actual need! 

Do cyber costs provide a return for the Business, or are funding requests simply a ploy to add more cushion to the cybersecurity cost center? Let's walk through the topic and understand what impacts cyber has on business operations and if the Business can expect a return on its investment. 

Cybersecurity, A Support Function or Core Business

Let's piss off the hackers, terminal tyrants, and the cyber kill chain gurus! 

Yes, I will say this because I fear no one else will!

'Information Technology (IT) and cybersecurity are usually not a company's core business function. Rather, IT and cybersecurity assist in delivering products and services to the marketplace, making them both support functions'. 

-Some Guy 

This is not to say that IT & Cyber are not crucial to a company's success! 

After all, one of the many benefits of technology is its ability to support the Business's ability to scale, and scaling can often lead to increased revenues and profits. As a result, we can argue that scalability is one of the main reasons for a company to deploy technology. 

If executives could identify a new solution that provided the same cost-benefits, they would leave tech in the dust! 

Never forget that! 

So How Does Cyber Impact The Overall Business?

Cybersecurity can improve public trust, streamline regulatory compliance efforts, and limit fraud, waste, and abuse. If mishandled, the function can increase the operational and strategic risk for the Business and its executives. Mishandling can also lead to ballooning budgets and the inability to limit the number of successful compromises to business operations.

Ballooning budgets but no security? Yep! 

But at least we were able to complete the buzzword bingo puzzle during yesterday's call. Right boss? 

Sounding brilliant has never equated to providing S.M.A.R.T solutions. The devil is always found in the details and unfortunately, so is any reasonable solution to a problem.

Businesses live or die by their ability to manage costs. No money, no business! Knowing this to be the case, cyber professionals must always keep the cost of doing Business at the forefront of any solution or strategy that we propose. It's the responsible thing to do and aligns directly with our fiduciary duties! 

How do we keep the Business at the Forefront of our Cyber strategy, tactics, and techniques? 

Business professionals are often quick to point out that technologists have very little knowledge of the business environment in which they operate. 

While I wholeheartedly agree, the same can be said for the Business professionals within the same organization. Business Units are frequently siloed, having no understanding of their Business's interconnectivity and how that impacts delivery. 

We have to fix the lack of communication, but how should we approach it? Well, for one, the organization in question should have performed both of the following: 

Enterprise Architecture Review (EA): Enterprise architecture (EA) is a discipline for proactively and holistically leading enterprise responses to disruptive forces by identifying and analyzing the execution of change toward desired business vision and outcomes. [ reference ] 

Business Impact Analysis (BA): A business impact analysis (BIA) determines the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. [ reference ] 

You might be thinking, this is a lot of work to do! Are you saying that the Business should document its long-term strategic objectives and identify critical business processes? How can the Business expect IT and cyber to develop solutions that support it without doing so? 

Let's Address our initial question at the onset of this writeup.

As a reminder, we posed the following question at the beginning of this blog post: 

1. Do cyber costs provide a Return On Investment (ROI) for the Business?

Because cyber is a risk function, it is often hard to quantify its ROI. Like car insurance, its value is only evident when there is a catastrophic event. 

However, this is not the optimal approach towards evaluating cyber expenditures or establishing value for the cybersecurity function.

Two approaches should be taken when establishing the ROI for cybersecurity costs. One method should be qualitative and the other quantitative in nature. The qualitative method should focus on meeting the goals of the organization, for example:

• No compromise or loss of sensitive information
• Maintain GDPR Regulatory Compliance
• Application of Mandatory Access Controls to limit access to sensitive data based on a need-to-know 

Because the EA and the BIA give corporate objectives and identify critical Business Processes and systems, we can use them to derive our qualitative measures. 

Can we create a subset of quantitative measures for security that would express an equitable ROI? 

Yes, We Can! 

The data points should be centered on achieving process efficiencies while maintaining a consistent security posture. For example, the organization might require IT professionals to manually apply patches to information systems across the entire enterprise. 

To gain efficiencies, we could create a batch job that retrieves patch files, uses them in a test environment, supplies reporting, and stages the change for production if the test results were optimal. 

Due to automation, our proposed change effort allows us to maintain the patch management process and scale. Our metric, as a result, could be twofold:

• Hours required to perform patching of information systems [FTE Cost]
• Percentage of systems that have up to do date patches applied

The goal would be to reduce operational expenditure through automation and improve the percentage of systems that comply with the patch management policy. 

Our little project has qualitatively improved our program and reduced the cost relating to the personnel required to manage the activity. 

Sounds easy on paper, doesn't it! 

Conclusion



In closing, cybersecurity plays a vital role in reducing operational risk from the perspective of Business owners. It can also improve brand awareness and establish trust amongst its client base. However, Business processes must be well defined and communicated to IT and cyber. 

As cyber professionals, we must remember that profitability comes first and develop cost-effective solutions that meet the needs of the Business. 

I would love to hear your thoughts on the matter.