Demonstrating the Business Value of Your Security Program

The role of risk quantification

Let’s face it, the cybersecurity market is tough right now. PlexTrac Founder and CTO Dan DeCloss talked with Peter Schawacker, industry strategist and CEO at Nearshore Cyber, on PlexTrac’s Friends Friday about the state of cybersecurity and ways you can make a business case for your services or program. They discussed risk quantification and prioritization within a business context as key to demonstrating real value to business leaders from cybersecurity investments. 

Peter Schawacker is a cyber business thought leader interested in preserving company value by driving cyber risk management and cost savings. Through his company Nearshore Cyber, he delivers hands-on advisory services to C-suites, boards, investors, and IT built on deep experience and expertise in cybersecurity, its evolution, and trajectory. He is an expert at building and managing cybersecurity and GRC programs. As a permanent resident of Mexico and US citizen, he offers intimate knowledge of US and Mexican cyber markets and pathways to Mexican/LATAM.

Watch the full episode of the discussion or read on for the highlights. 

Risk Quantification: Demonstrating business value for your security program

The state of the cybersecurity industry in Spring 2024

Dan and Peter kicked off their conversation by considering the state of the cybersecurity industry and market. They agreed that several factors — both historical and current — necessitate reconsidering how security programs define and demonstrate value to organizations. 

Peter said, “The past 15 years were like the salad days of cyber in terms of the industry; the benefits we’ve conferred on our customers — not so good. Enormous sums of money were spent. There are other complications, like the promise or threat of AI, depending on how you look at it. Interest rates, interest rates are still relatively high. VCs haven’t come back. So there are a lot of economic dynamics.”

Dan agreed that the market is tough and succeeding in it will center around prioritizing the right things and then focusing on demonstrating value around those. He said, “My opinion is that organizations are now kind of recognizing, like, hey, we actually have to hone in on what actually provides value. It’s not that we shouldn’t be doing cyber to secure our infrastructure and organization, but what are the things that actually have the most impact? Right? So, from my perspective — and I led a security team — it’s like, hey, how do we determine if we’re working on the right things? Like, how do we prioritize this risk? And so, we’ve seen the risk quantification kind of companies and things like that. To me, there’s promise in that kind of notion.”

Cyber risk within a business context

Peter continued, “Let’s talk about risk. I mean, I’m a small business owner. Small, small. Like, you know, ten people. Cyber is not in this list of risks, the top ten risks. It’s not in the top five. It’s not. It’s like, at the bottom five or bottom half of a bottom five of that top ten, maybe. It doesn’t really get my attention until it pops up to the top, and then I just want to push it back down because I want to sell staffing, recruiting, professional services, stuff like that. That’s what I do for a living. And when security intrudes for my business, I need to take care of it quickly. Those are business risks. Cyber, it’s not there.”

He notes that a holistic approach to organizational risk is critical to adding and demonstrating value of the cybersecurity program because businesses don’t rank cyber risk in the same way cybersecurity leaders do. “So, when we’re trying to start making the case for more investment in cyber. I would ask, ‘What are your other risks? Where does this stack up? And have you done a risk analysis of your cyber risks?’ Tell me three things you really care about.” 

Dan agreed, “Yeah, I think you’re exactly right. I’ve touted for a long time — which is not news, it’s not novel — we’re all in the business of risk management, right? And so, you know, cyber is another aspect of risk that could be stack ranked against all the risks. So I completely agree with you that it needs to be in the context the entire business.”

Measure risk consistently 

Peter said, “You start analyzing risk. You can use quantitative methods. You can use qualitative methods. You can stack rank. My recommendation is do one. Because you have to know what you’re protecting, and it’s not computers. Right. You know, you have to understand what the business needs.”

Dan continued, “I think that from the perspective of CISOs these days and boards, it’s like, hey, we recognize the value of cyber investment, but you’ve got to keep showing that, right? You have to keep showing the impact.” 

Once you’ve identified what really matters to the organization, you can get to the work of aligning that with cyber risk and so you are measuring and prioritizing the right things. This is where real value creation will begin to take shape. Both Peter and Dan agreed that risk quantification mechanisms are less important than measuring in the context of business priorities. Once those are determined, the key is consistency. 

Peter said, “Risk metrics are like your favorite exercises. I had a trainer and I was like, ‘so what’s the best exercise for me,’ and he said, ‘The one you’ll do.’ That’s it. The one you do. You know, what’s best? What’s the most important musical instrument? I don’t know. The one you play. Use one, stick with it, maintain consistency. If you’ve ever done archery or shooting sports, you know, it’s all about consistency because then you can make minor adjustments and you can hit it. Right? Same thing.” 

Follow PlexTrac on LinkedIn for more PlexTrac Friends Friday conversations.