Reframing Cybersecurity’s Contribution To The Business
Business strategy regarding cybersecurity risk management is something that can feel rightly infuriating as a cyber professional, especially in the post-mortem from a breach. In this blog, I’m going to attempt to explain why cybersecurity risk is different from common types of risk we’re familiar with, why market valuation is the best way to understand business impact, and then bring these two concepts together to present a solution to getting cybersecurity and the business to be measuring risk the same way.
Let’s Reframe Cyber-Risk With A Better Understanding of Risk Acceptance
“We don’t do risk management so we can take less risk. We do risk management so we can take more risk. If your risk program is getting in the way of taking risks, you are doing it wrong.” — @reneelynnmurphy
Risk acceptance is the mechanism by which money is made. If you invest in a stock, you have accepted the risk that the stock may go down, while hoping to profit if the value of the stock increases. The only way to eliminate this risk is to not invest, but this also eliminates your potential profit. As with the stock market analogy, risk is most often understood as a correlation between direct investment and return:
- Investors using options as a vehicle for larger gains instead of stock purchases.
- A retailer committing to a more expensive lease in a location with higher foot traffic.
- A pharmaceutical investing in research to develop proprietary remedies.
One of the challenges with cybersecurity is that risk is, for the most part, accepted by choosing not to invest in the people, processes, and technology to mitigate a specific risk. Further, because doing nothing is literally a form of risk acceptance, it blurs the line between ignorance and implicit acceptance.
“The only system which is truly secure is one which is switched off and unplugged locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it.” - Gene Spafford
If we were to imagine a purely academic treatment of cybersecurity risk, we’d start by eliminating the computing environment completely, and then slowly accept risk by allowing these systems back into the environment to facilitate business outcomes. Cybersecurity professionals don’t have this luxury. Instead, we are provided with a budget to creatively develop and deploy mitigating controls that are appropriate for that specific and largely inherited environment. Truly, this is one of the most exciting aspects of cybersecurity — the fact that every environment presents a new set of problems with a new set of constraints. The budgets we receive will never be enough to do everything we want to accomplish, but this is by design, because risk acceptance is the mechanism that enables profit. This is something I find is missing from a lot of conversations about burnout in this industry — do not sacrifice your physical or mental well being trying to mitigate risk the business has already accepted.
How Do You Measure The Impact of Realized Risk To The Business?
Market valuation is the perceived economic value of a business. Companies may have different strategies for getting to that valuation, but in the end, the market is the audience everyone is trying to impress. For this reason, I’m going to postulate that market valuation is the right metric for understanding the impact of realized cybersecurity risk. While there may be many potential consequences that are realized, market valuation is a singular metric which may be seen as a distillation of these consequences and other information that impacts the perceived economic value of the business.
So how does cybersecurity, and cybersecurity incidents, contribute to valuation? Cybersecurity budget is an operating expenditure (OpEx), a recurring cost that is subtracted from gross revenue when determining value. Responding to a major cybersecurity incident is better understood as a capital expenditure (CapEx), a one time cost. When a major incident occurs, cybersecurity spend is increased and targeted controls are put in place to shore up the specific weaknesses that were exploited, limiting the likelihood of that particular scenario repeating. Because this capital expenditure is a one time cost and measures have been taken to prevent the scenario from repeating, its impact on future price-to-earnings (P/E) calculations, and therefore market valuation, will be marginal. Supporting this assertion is a Comparitech study that found an isolated cybersecurity incident, no matter how large, will have only residual long term impact on valuation.
How Should This Perspective Impact The Way Cybersecurity Pros Work?
Cybersecurity professionals are knowledge workers who are hired for their ability to conceive and build mitigating controls to reduce the impact of cybersecurity incidents on the valuation of the company using available budget. Since we’ve shown that organizations leverage CapEx for major incidents and that these incidents only have marginal impact on long term valuation, the natural conclusion is that there’s a second level “business” impact that isn’t being properly understood in our cybersecurity risk assessments. I feel the problem is the traditional risk equation attempts to snapshot something that must be sampled as impact (I) over time (t). An example of what this might look like is:
dI/dt = L * I
You may recognize we are representing the risk equation as an ordinary differential equation where impact is a function over time and L represents the rate or likelihood of an occurrence, this is because risk may be realized multiple times. In understanding the business objective of increasing valuation by reducing recurring cost, either from recurring cybersecurity incidents or from the OpEx of their cybersecurity budget, recurring problems might make a larger impact on long term valuation than a potential major cybersecurity incident (as long as it doesn’t put you out of business).
