Share and earn Cybytes
Facebook Twitter LinkedIn Email

Per Adrian Slywotzky and Karl Weber, “Risk is just an expensive substitute for information.” This is particularly true with respect to risk in IT operations where data abounds, but information is scarce. Understanding how to analyze and manage risks in IT operations should be a critical component of every company’s long-term strategy.

In general, companies have various ways of categorizing and quantifying business risk using performance data and business intelligence analytics. Based on those measurements, executives decide which risks they choose to accept and put in their financial backlogs, which risks they will transfer onto other entities via insurance or other forms of outsourcing, and which risks they choose to mitigate via control measures.

Read Now: Cyber Security Translation Guide for CISOs

When it comes to cyber security risks, however, the equation is a little more complicated. In fact, asking how much your IT security is costing you is unproductive and the wrong question to ask.

So what should you be focusing on instead?

The Costs of IT Security

How much IT security is costing your organization can generally be broken down into four major factors:

The expenditures related to securing your IT environment. This includes the price of security infrastructure such as firewalls and antivirus software, salaries of security staff, outsourced vendors, as well as the cost of training programs.The inefficiencies and inconveniences created by these security controls. All too often security is still considered an impediment to business operations. Therefore, the “cost” associated is often measured by productivity loss of employees due to additional steps required to get something done securely, required training programs. Where this is the predominant perspective, the cost of insecure practices is seldom weighed against these measures.The opportunity cost of investing money into cyber security risk mitigation that could be used for other purposes. Business managers are expected to manage for a positive return on assets. Where this return is not measured, it is obviously difficult to manage.The risk adjustment on the returns of relevant company investments. While this is not strictly a measure of cyber risk, the financial method tries to get at how much to devalue return based on the cost of capital (a measure of financial risk). Similarly, if a company employed highly risky cyber security practices in order to get a high return, this return could be risk-adjusted downward. In practice this is never happens, as there is no agreed-to measure of cyber risk, and this is why I think you are…asking the wrong question.You’re Asking the Wrong Question

Estimating the costs of the first two categories (above) of IT security measures is straightforward enough. The third is doable, and the fourth… nobody really knows how to do. Given these difficulties, what’s even more difficult is understanding whether the amount expended is proportional to the possible risks that the organization faces, in financial terms.

With a multitude of threats and malicious actors, there is no reliable way to understand the potential costs of a cyber attack until after it’s already occurred. The compromise could have secondary repercussions that are even harder to measure, such as lost customers, sinking stock prices and business deals that fall through. 

One needs only to look as far as 2016’s Verizon Communications Inc. still-pending acquisition of Yahoo! Inc. to know that cyber security incidents pose real financial risks to organizations, yet predicting their magnitudes, without doing an extensive amount of laborious risk analysis using a method such as FAIR (which, if you want to go down this path, I highly recommend over other methods).

As such, IT security spending often creates tension in the C-suite between the CFO, who wants to understand why the budget is so high, and the CISO, who attempts to justify the spending measures by claiming a reduced possibility that a costly event will occur. The CFO and CISO are caught in a push-pull dynamic as they seek to minimize or maximize the security budget, and they don’t have a common metric by which to measure cyber security performance.

Therefore, wondering how much IT security costs your organization is the wrong question to be asking. You shouldn’t be measuring cyber security risk metrics and comparing those to how much you’re spending on IT security. By understanding how risk is trending and the underlying security events that is driving them, you can gain a level of confidence that the spending level is appropriate.

You will likely never know whether IT security costs more than what you get back from it—there, I said it — but you can measure indicators of risk to know whether you are mitigating the risks you think you are. Once you have established metrics that everyone (technical and non-technical) agrees are appropriate, you can show how the security infrastructure affects these metrics, and you can adjust investments in technology, processes and people accordingly. It is the “easy road” to getting onto the same page with business and financial managers.

In the long term, you can watch how these indicators are trending and get a better sense of what this means for your IT environment. As long as your risk-adjusted return for an investment is more than the net present value that you’ve invested in it, then it’s a good investment to make. 

I’m joking… you’ll never be able to calculate this, but you will be able to show how data-driven risk trends compare to investments, and that a much better place to have the “how much” conversation from than jargon or statistics.

Final Thought

If there’s one key lesson to be learned here, it’s that you need to stop arguing about the cost of IT security with business managers and start discussing metrics all sides agree on. Without a common understanding and vocabulary, it’s impossible to know whether you’re spending too much or too little to control your cyber security risks—and your budgets will continue to come under attack.

Do what your CFO does: present irrefutable and understandable measures of security risk or performance, together with data-driven cause and effect drivers, and let the digits do the talking.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About FourV Systems
FourV is dedicating to improving the operational performance of IT security programs by empowering leadership to make decisions instead of spending time analyzing data.
Promoted Content
Cyber Security Translation Guide for CISOs
Communicating the Benefits of an IT Security Investment Can Be a Challenge As a chief information security officer (CISO), you know how important it is to invest in the appropriate IT infrastructure in order to keep your business and its assets safe. The difficulty, however, is often communicating the urgency and importance of those investments in a way that resonates with other stakeholders in your organization. This free on-page guide will teach you how to best position your messaging when speaking to non technical leadership.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?