I often hear calls for security to be treated as a business issue. This seems to vary from calls for the Board of Directors to take an increased interest in security to calls for CISOs to raise their gaze from the technology and consider the whole business.
I have myself called for CISOs to think about value and how it is generated, ensuring that they don’t focus on current or legacy value generation at the cost of limiting opportunities for future value generation.
I have been building an Information Security Management System (ISMS) recently and it occurred to me that, while there are clear engagement requirements with business leaders, the standard for ISMSs (ISO27001) is very much focused on a risk-driven management system with regard for, although light on, compliance. I am of the opinion that an Information Security Management System needs to consider Risk, Compliance and Finance. The first two as this is what we are explicitly asked to deliver and the latter because this shapes our practical scope of activity but also should drive some of our delivery decisions.
Most businesses measure themselves and are measured by others on their top-line and their bottom-line performance.
The top-line in a business is the gross revenue or sales revenue, it is how much money the business is able to convince other organisations or people to give it in return for products and services. Top-line growth is new sales to existing customers, new business opportunities geographically and innovative new products. This is the ‘sexy’ end of the business where the ‘new turks’ and the ‘rainmakers’ live. A business with ‘growth potential’ tends to have a healthy growing top-line period on period, a key measure for investors in emerging markets or innovative industries.
This is not where security lives. We often hear calls for security to be enablers and even to go as far as becoming profit centres, usually through dubious internal accounting measures. Unless you are a business that sells security services then you don’t add to your top-line from a security team. Some of my previous colleagues have argued that security vendors don’t expect that adding security to their products to add to their top-line but that’s a different blog.
The bottom-line in a business is the net income, the profit or the earnings, it is how much money is left when the costs of running the business are taken out of the top-line. This generally isn’t a sexy place to be in the business as you are reducing the earnings but focusing on reducing costs is a surprisingly common strategy for CEOs in mature businesses who understand that costs accumulate over time and are not always necessary or efficient. Ultimately a well-run operationally-excellent business has consistent or growing earnings on their bottom-line. Again this is a key measure for investors, especially in mature markets or industries.
Ultimately earnings can be improved by increasing top-line revenues or by reducing bottom-line costs.
Security is almost entirely associated with the bottom-line through two aspects; the value of earnings protected and the cost of protecting earnings.
Primarily the role of security is to minimise harm to the business from security incidents, this can include theft, outages, fraud, reduced performance, recovery costs, legal costs and regulatory fines. The investment in security is to reduce the impact of these as costs to the bottom-line and therefore protecting the earnings. Many security teams focus on maximising this protection of earnings.
However, the investment in security to protect the earnings from incident related costs is itself a cost on the bottom-line. If a CISO grows this cost he or she is reducing earnings and efficiency in security delivery should ultimately be a benefit to earnings. The cost of this investment is often seen as ‘the cost of doing business’ by the business leaders who would rather invest in top-line growth and so focus on satisficing the need to deliver just good enough security.
The knife-edge the CISO walks when negotiating an investment in security is to balance the value of earnings protected against the cost of that protection of earnings in order to minimise overall cost to the bottom-line. One of the key problems the CISO has in this negotiation is that often the business leaders do not easily understand or believe the value of earnings being protected so they focus on the cost of the protection whereas the subject matter experts that the CISO relies upon to make his or her case do not really understand the impact of the cost of earnings protection on the bottom line so they focus on the protection itself almost divorced from the financial realities of the business.
One of the reasons I now focus on quantitative risk methods wherever possible is that I am able to produce a defensible financial statement of the value of earnings protected to compare to the cost of the protection of earnings. In the ISMS I am now building quantitative risk plays a role in both the risk-driven nature of the management system and the balancing of the finance on the bottom-line of the business. It makes the balancing act transparent to the business leaders who are able to bring their own experience of managing the bottom-line to bear. An ISMS where Risk, Compliance AND Finance are first-class citizens.
I mentioned that security is almost entirely associated with the bottom line but there is a relationship between top-line growth and reputation and between visible security failures and reputation. It’s not as strong and direct as many maximising security professionals would like it to be but a major security incident that garners significant press attention has the potential to not only raise costs in the current reporting period but also reduce sales leading to significantly reduced earnings over the short term. The significance of that potential is yet to be fully understood but it is there.
Very well put, Phil – it’s high time you published your blog(s) as a book for those in need of such sage counsel!