Tangible business metrics are key but hard to find
Cybersecurity is rising as a key issue on the radar of virtually all organisations. According to a recent AT Kearney report, cyber-attacks have been topping executives’ lists of business risks for three straight years. This concern is also driven by security and privacy becoming increasingly valued by customers, and by regulators stepping into the topic (GDPR in Europe, California Consumer Privacy Act of 2018).
Beyond this, it is now becoming crystal clear that cybersecurity – beyond good practice and good ethics – is quite simply good business. As a recent Cisco study made clear, cybersecurity will help fuel (and protect) an estimated $5.3trillion in private sector digital Value at Stake in the next 10 years. This is the kind of numbers boards cannot afford to overlook.
Tangible estimates like this one, however, are painfully rare in the cyber security space. Indeed, concepts relating to cybersecurity are both multi-facetted and very elusive – making them notoriously hard to measure. Furthermore, good cybersecurity is defined by the absence of breaches or losses. Observing what is not happening is a challenging – if interesting – endeavour.
A stringent example of this measurement problem can be found in a recent BCG research on Total Societal Impact. To their credit, cybersecurity is mentioned fairly extensively throughout the report as a key component of a firms’ ESG (Environmental, Social & Governance) strategy – although not consistently across industry sectors.
The issue arises when it comes to quantifying that intuition. The BCG for example reports finding a significant link between “Securing business and personal data” and a firm’s valuation. Looking into the appendix of the report, the problem lies in the fact that this concept seems to be operationalized through a series of somewhat vague dummy (0/1) variables. Examples of such metrics include whether “measures to ensure customer security” have been taken, or whether an information security management system has been implemented.
This is not only overly-simplistic – hiding key nuances in levels of cybersecurity maturity across firms – but it also encourages “tick-in-the-box” approaches to cybersecurity which have plagued the field for ages. Tellingly, no quantitative results are actually presented for cybersecurity in the report.
This lack of details around the quantification of the tangible value of following cybersecurity best practices is a problem. In fact, we believe it is an important reason why the issue is still shifting in and out of most boards’ radars. Gut feeling alone does not make for a strong-enough case: Top executives are increasingly asking “Show me the data”.
Beyond the fact that measuring success in the cybersecurity is very hard, another issue is the stringent lack of meaningful data.
This is a really big problem in the field of cyber insurance, for example, which struggles to fit its traditional actuarial models around the scarce data they can get a hold of. The reason for that is quite simple: most organizations are still very reluctant to share what they perceive as highly sensitive cybersecurity data (assuming they even have them to start with).
We also talked about this problem in the context of training defensive AI for cybersecurity, but this scarcity of reliable InfoSec data hinders generally much-needed research and results.
Being able to show key stakeholders in business terms what exactly is the tangible value-added of cybersecurity will be key in finally anchoring the topic at the right level of organizations.
Money – and data – talk. And boards usually listen. But we’re not there yet and cybersecurity looks definitely like a promising path for data-driven research.