18 Factors And Metrics To Show The Value Of Cybersecurity Initiatives
Expert Panel® Forbes Councils Member
Forbes Technology Council COUNCIL POST| Membership (Fee-Based)
While a CSO or tech leader’s C-suite colleagues understand the importance of cybersecurity, they’re often primarily focused on the bottom line. They may even ask, “But is it necessary to spend the resources we do on these efforts?”
The ability to explain, in terms comprehensible to laypersons, both the companywide and specific outcomes and protections of dedicated cybersecurity initiatives is an essential (and inescapable) part of any CSO’s—and indeed, most tech leaders’—roles. Below, 18 members of Forbes Technology Council detail both broad and specific factors and metrics that show the value of, progress on and need for robust cybersecurity initiatives.
1. Time Saved For Team Members
Security is often seen as a roadblock, not an enabler. Security should focus on what is important to the organization and then figure out how to best secure it. For example, long passwords with ridiculous complexity requirements that must be changed every 90 days are a chore and work against cybersecurity culture (and actual security). Move to passwordless, keys and/or invest in hardware, and everyone is better off. – Tim Medin, Red Siege
2. Team Members’ Cybersecurity Savvy
An often-overlooked way to evaluate an organization’s progress is by assessing the cybersecurity capabilities of its employees. Security awareness training test results provide an excellent lens for measuring employees’ threat awareness and knowledge of best practices. As every organization’s last line of defense, a more security-savvy workforce can be a very powerful indicator of progress. – Eyal Benishti, IRONSCALES
3. Time To Value
Time to value is an essential metric. Selecting a security information and event management solution that’s integrated with other security controls, for instance, significantly reduces the time to react to a breach. A central goal in cyber defense is responding swiftly to mitigate a breach that could potentially break your business. A modern SIEM collects and analyzes security data and provides an automated response, ensuring faster time to value. – Jesper Zerlang, Logpoint
4. Reduced Risk Of Financial, Reputational And Legal Damage
Cybersecurity should always be a business priority. If done correctly, organizations can significantly reduce their chances of undergoing a significant cyberattack and prevent any financial, reputational and even legal consequences, all while improving operations. With ransomware attacks and data breaches on the rise, implementing a strong security culture from top to bottom is absolutely key. – Daniel Schiappa, Arctic Wolf
5. Compliance With Government Regulations
Senior managers must be convinced that cybersecurity is a business enabler. Given the growing threats against information privacy, integrity and availability, proper cybersecurity is a necessity—a cost of doing business. To ensure that cybersecurity is taken seriously, regulators, such as the U.S. Securities and Exchange Commission and the European Privacy Board, are ready with huge fines and other punitive measures for businesses not in compliance. – Howard Taylor, Radware
6. Success In Thwarting Unauthorized Access
Highlight the reduction of successful unauthorized access attempts. By utilizing leaked passwords and dark Web databases, tech leaders can proactively flag compromised user accounts, prompting resets before breaches occur. Additionally, implementing IP blocking and rate-limiting measures to thwart brute-force login attempts adds another layer of security. – Adam Ayers, Number 5
7. Protection Against Long-Term Downtime
“How long could you live without your computer?” is an effective scare tactic. Leaders who don’t have time to focus on cybersecurity may not understand that if they’re compromised, they have to stop working. I don’t know any executive who’d be okay with an unscheduled period of time when they can’t use any of their devices. Appeal to their need to stay online, and they’ll commit to the initiative. – Lewis Wynne-Jones, ThinkData Works
8. Faster Detection And Correction Of Security Issues
Measure how fast the team can find and fix security problems. Think of it like a fire alarm: The faster you know there’s a fire, the quicker you can put it out. If tech leaders can show they are getting faster at finding and fixing security issues, that’s a good sign they are making the company safer. This is something everyone can understand—even if they’re not tech experts. – Margarita Simonova, ILoveMyQA
9. A Threat Mitigation Report (And The ‘Why’ Behind Efforts)
By creating visibility, sharing threat mitigation reports and explaining the “why” in relatable terms (my personal favorite is to use real-life analogies), CSOs can successfully bring their nontechnical peers along on the journey. Engaged employees will always be interested in a subject if they can connect the dots on how it impacts their domain and the greater business. – Rahul Rao, Understood.org
10. Business Impact And Tech-Related Risk Analysis
Think of cybersecurity spending as an investment, not an expense. It’s like insurance for your business results. Business impact analysis and technology-related risk analysis can facilitate the valuation of an incident occurrence. The dollar amounts that would be lost to ransomware, reputation damage, downtime, loss of data and drop in share value can all be estimated, and the necessary costs can be allocated to security. – Robert Strzelecki, TenderHut
11. Continuous Visibility
The most straightforward point is to discuss continuous visibility. In most organizations, losing the ability to track assets, vulnerabilities and configurations causes risks. When this data is accurately captured, an organization can remove blind spots. I would also design a comparative model that shows protection over time compared to risk and explain how the outcome matures cybersecurity. – Dewayne Hart, SEMAIS
12. A Cybersecurity Resilience Index
CSOs can develop a cybersecurity resilience index, which assesses an organization’s ability to withstand cyberattacks and recover swiftly. This index can encompass factors including incident response times, employee training effectiveness and system recovery rates. A rising index score can signify improved cyber resilience, which is crucial for maintaining business continuity and minimizing financial losses. – Jagadish Gokavarapu, Wissen Infotech
13. Mean Time To Detect
Tech leaders can highlight the mean time to detect, or the average time it takes to detect a security threat. A shrinking MTTD over time shows heightened vigilance and improved detection capabilities, which directly correlates to reduced risk. By showcasing a tangible reduction in this metric, CSOs can translate cyber progress into a language that the C-suite understands. – Marc Rutzen, HelloData.ai
14. Progress Toward Annual Audits And Security Certifications
Progress toward annual audits and security certifications can be a useful measurement of cybersecurity progress. These audits and certifications require meeting many specifications and standards, which can be tracked in a transparent fashion to quantify your investment in cybersecurity. – Syed Ahmed, Act-On Software
15. Compliance With Industry-Specific Standards
Tech leaders can highlight their organization’s compliance with industry-specific cybersecurity standards and regulations. Meeting the requirements set forth by relevant authorities showcases a commitment to cybersecurity best practices. It also indicates a proactive approach to safeguarding sensitive data and ensures that the organization’s management of sensitive data aligns with evolving cybersecurity regulations. – Cristian Randieri, Intellisystem Technologies
16. A Resilience Score
Tech leaders can leverage the “resilience score” concept. This is an innovative metric that combines system uptime, user training completion rates and successful mock breach defenses. A rising score indicates fortified cybersecurity and paints a vivid picture for those focused on the bottom line, showcasing the synergy of technology and human readiness. – Amitkumar Shrivastava, Fujitsu
17. A Vulnerability Risk Rating
In the same way a credit score represents a person’s creditworthiness, a vulnerability risk rating represents the risk that vulnerabilities pose to an organization. The higher the risk, the higher the VRR. Using this analogy has helped me in multiple instances better explain the importance of cybersecurity to those who aren’t knowledgeable about tech. – Sirjad Parakkat, Ivanti
18. Number Of Unresolved Vulnerabilities
One of the tangible metrics for demonstrating progress in cybersecurity initiatives is the number of unresolved vulnerabilities within a system or network. As this number decreases, it signifies that security measures are effectively patching and protecting potential breach points, safeguarding company data and assets. – Sandro Shubladze, Datamam