Follow the Money

When we talk about security with the business we need to talk about money.

I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of business but was always reticent to jump feet first into financially-driven security for a couple of reasons; firstly  I just couldn’t see how we could put a reliable value on what we did and secondly I was nervous about what that might expose. In hindsight I find myself increasingly becoming a financial fundamentalist for security.

Business is fundamentally the generation of profits to maximise the returns of investors. It is the result of one equation:

Profit = Revenue – Costs

Every action you take in a business results in more or less profit as a result of increased or decreased revenue or increased or decreased costs. The goal is to either cause an increase in profit or to prevent a decrease in profit over the time frame that the management team of the business deem to be important. These are fairly self -evident statements but are worth restating. (It is different in government and in social enterprises, I’d be interested if these have a similar basic statement of the purpose of the organisation).

In security we should therefore be considering all of our activities in light of whether they improve the bottom line (the profit) in the short term or protect against possible damage to the bottom line over the longer term. If we are increasing costs or decreasing revenue without a clear future goal that improves the bottom line then there is a strong likelihood we are doing it wrong.

1. Reducing Costs is the most reliable approach to increasing profits, as a security manager if you can maintain or improve the security posture of the business while taking out the costs of that security through efficiency savings you will add to the profit and will have met the business’s objectives. This is where outsourcing, farshoring, automation and managed services can play an important role in any security strategy.
2. Increasing Revenue is a difficult approach for security to achieve. There is a possibility that a well-built flexible security architecture would allow the business to move into new markets and deliver new products or services faster thus generating more revenue over time than would previously have been generated with a security architecture that needed significant rework before the opportunities could be grasped. Not an easy case to make. There is also the possibility that a good security capability can be used both to protect the business and also be sold to other businesses to generate revenue in it’s own right. An unusual activity for a business whose core business isn’t providing management consultancy or managed services.
3. Preventing Future Costs is a risk-based approach where the security team estimates the potential sources of future costs that can be traced to security breaches of one form or another, considers the range of impacts, considers the uncertainty around when and if the event will occur and then plans mitigation to prevent it. Examples could include reducing security incident costs by investing in readiness, or could include investing in application security to protect customer data to reduce the costs of identity theft insurance for any affected customers, or it could include a regulatory fine for non-compliance to a mandated industry standard such as PCI DSS. Identifying the risks of a breach is something we do in security all the time, mapping the impact of those risk events happening to operational business risks with estimated financial costs against them is less common but entirely feasible.
4. Preventing Future Loss of Revenue is also a risk-based approach where the security team estimates the potential sources of future loss of revenue that can be traced to security breaches, considers the range of impacts and considers the uncertainty of the risk event occurring and invests to prevent it occurring. examples could include the impact on sales if customers lost trust in the brand as a result of  breach or a regulator deciding that a flagrant abuse of regulated controls is serious enough to remove the business from the regulated marketplace altogether removing an entire line of revenue for the business.

Preventing Future Costs and Loss of Revenue are risk-based activities and map closely to the sorts of activities we are already doing in our risk-managed security teams.

Putting a monetary value on those risks and driving the the security team based on the cost of investment into the team versus the return on that investment in terms of reduce operating costs or reduced risk of future profit damaging events is hardly a new idea but one worth repeating. It’s an idea that is rarely followed through on with great conviction by security teams who often worry over their limited understanding f the business environment. As a group of experts and specialists we tend towards saying nothing if our confidence in what we are saying is low. But…the actual estimated monetary numbers behind the business risks should be sitting in a risk register either in our second line risk functions or in the COOs office. We work in big complex businesses with multiple plans and strategies, we must engage with the risk management and operations functions to understand the businesses we are protecting.

If you aren’t reporting the following four metrics in monetary terms;

1. Reduced costs
2. Increased revenue
3. Prevention of future costs
4. Prevention of future loss of revenue

Then what you are doing is asking your business sponsors, whether that is the executive team or the board directly, to put a monetary value on the benefit you bring to the business. Asking them to translate your security compliance and security risk statistics into the equation above. Better to generate that yourself because at the end of the day you are the security expert and you will have to live within the resource limits they set.

On a related note the need for security to be a seat at the board has been trumpeted repeatedly since cyber hit the headlines. If we aren’t able to put our activities into a monetary context then frankly we don’t really deserve that seat and even if we can I wonder if we are just a subset of operational risk and in fact we should be lobbying the COO for attention rather than the board.