How CISOs escape the cost center trap

Even as the CISO role is becoming more business-focused, in many organizations the notion of security as purely a cost center persists. Here’s how savvy CISOs can turn that around.

avoid detour side step trap hole in floor arrow by lucadp getty images
Lucadp / Getty Images

The increasing number and sophistication of cyberattacks have companies boosting their cybersecurity budgets—again—in the upcoming year.

PwC’s Global Digital Trust Insights Survey found that 69% of organizations expect to boost cyber spending in 2022; 26% will see their security budget up by 10% or more.

Even in this age of high-profile attacks, figures like that help perpetuate the idea of cybersecurity as a cost center. That in turn can leave CISOs at odds with their executive colleagues, and it can leave those other executive leaders frustrated and confused about the value they actually get from their cybersecurity investments.

“Many business leaders are now keen to participate in cyber transformation, but they find the wide use of security jargon and vain metrics deeply frustrating. It leaves them unclear about key threats targeting their businesses, the strength of their existing defenses, or what investment is required. They feel like they are pouring money in a leaky bucket because cybersecurity teams struggle to translate the value of their initiatives into the language of the business: money,” says Phil Zongo, CEO of the Cyber Leadership Institute, a training organization, and a member of the Emerging Trends Working Group at the professional association ISACA.

Leading CISOs, however, have turned that reputation around even as their own security budgets rise. How did they do it? By demonstrating that security is not only critical to business success but is an enabler and a competitive advantage just as much as the digital infrastructure and data assets it protects.

To continue reading this article register now

Microsoft's very bad year for security: A timeline