How CISOs escape the cost center trap

Even as the CISO role is becoming more business-focused, in many organizations the notion of security as purely a cost center persists. Here’s how savvy CISOs can turn that around.

avoid detour side step trap hole in floor arrow by lucadp getty images
Lucadp / Getty Images

The increasing number and sophistication of cyberattacks have companies boosting their cybersecurity budgets—again—in the upcoming year.

PwC’s Global Digital Trust Insights Survey found that 69% of organizations expect to boost cyber spending in 2022; 26% will see their security budget up by 10% or more.

Even in this age of high-profile attacks, figures like that help perpetuate the idea of cybersecurity as a cost center. That in turn can leave CISOs at odds with their executive colleagues, and it can leave those other executive leaders frustrated and confused about the value they actually get from their cybersecurity investments.

“Many business leaders are now keen to participate in cyber transformation, but they find the wide use of security jargon and vain metrics deeply frustrating. It leaves them unclear about key threats targeting their businesses, the strength of their existing defenses, or what investment is required. They feel like they are pouring money in a leaky bucket because cybersecurity teams struggle to translate the value of their initiatives into the language of the business: money,” says Phil Zongo, CEO of the Cyber Leadership Institute, a training organization, and a member of the Emerging Trends Working Group at the professional association ISACA.

Leading CISOs, however, have turned that reputation around even as their own security budgets rise. How did they do it? By demonstrating that security is not only critical to business success but is an enabler and a competitive advantage just as much as the digital infrastructure and data assets it protects.

There’s no one way to dispel the notion of security as purely a necessary cost, but the experts we spoke with identified five strategies that can help CISOs get others to see security as a value center.

Consider how your messaging impacts how you’re perceived

In a twist to the business maxim “You can’t manage what you don’t measure,” Ahmed Jamil, leader of the CISO practice at Russell Reynolds Associates, advocates the idea that you can’t improve what you don’t know and understand.

“Sometimes the first step is acknowledgement,” he explains. “You have to have an appreciation for how the C-suite and the board are thinking of you.”

It’s a step that takes some reflection to determine if, as the CISO, you’re viewed as a full executive partner working to shape policy and strategy—or whether security remains an afterthought and bolt-on to those.

“Think about the function. Is it reactive or proactive? How is it positioned in the organization?” Jamil says. “CISOs can get stuck in, ‘Here’s everything we’re doing to keep the organization secure in the current landscape.’ And they’ll show metrics [regarding that effort] to the board but they don’t show what’s coming. But CISOs need to put in business terms how they’re looking around the corner, how they’re being more proactive to show that security is a hub of innovation as much as, say, digital analytics.”

Cultivate allies in the business

Zongo advocates for CISOs to “relentlessly focus on stakeholder engagement.”

As he explains: “No major transformation program succeeds without executive support, and cybersecurity is no different. Engage stakeholders from key departments early and infuse their perspectives into the strategy. When key executives feel engaged from the start, they are likely to throw their full weight behind the cyber transformation program.”

To do that, Zongo says CISOs must establish a cross-functional cyber risk committee comprised of senior stakeholders from business risk, legal, technology, product development, procurement, and finance. “The cyber risk committee sets the right tone at the top, ratifies the cybersecurity strategy, and ensures the function is fully funded and well supported,” he adds.

However, some CISOs will face challenges in their ability to fully engage the business.

Many CISOs still align to the CIO’s objectives and IT’s roadmap. Those do (or at least should) be aligned with the business’ overall strategy. Even so, that reporting structure removes security from straight-line access to the business and, consequently, the business function leaders.

Pam Nigro, VP IT and security officer, Home Access Health Corporation Home Access Health Corporation

Pam Nigro, VP IT and security officer, Home Access Health Corporation

Statistics around organizational reporting structures speak to this point. The 2021 Global Chief Information Security Officer Survey from executive search firm Heidrick & Struggles found that 38% of CISOs report to CIOs while only 11% report directly to the CEO.

Pam Nigro, vice president of IT and security officer for Home Access Health Corporation, says when CISOs “draw a straighter line to the organization’s goals, they have greater buy-in to what they’re trying to do and can get more support for it.” If a CISO’s U.S. company wants to expand into European markets, for example, the CISO must understand and articulate how the security function will enable those business objectives by meeting European privacy regulations and security requirements; the CISO shouldn’t be detailing how to secure the technology infrastructure.

Accentuate the positive

The string of high-profile and impactful cyber incidents in recent years has made cybersecurity top of mind for boards. Boards are also paying more attention to security as related regulations increase and consumer expectations in this space rise.

The JWC Partners 2021 corporate board survey found security was No. 3 on the list of top board concerns, just after corporate strategy and CEO/leadership succession. Yet at the same time many board members aren’t particularly confident in their understanding of the topic.

According to PwC’s 2021 Annual Corporate Directors Survey, only 33% of responding directors said they understand “very well” their company’s cybersecurity vulnerabilities, 53% said they only “somewhat” understand those vulnerabilities, and 13% listed their understanding at “not very well.” (A mere 1% acknowledged they had no understanding at all.)

However, the heightened board-level interest in cybersecurity presents an opportunity for CISOs, Zongo says.

“It has been a painful journey for many CISOs to get to this point, [as CISOs] have always felt that their messages fell on deaf ears, their budgets were severely underfunded, and they were treated as glorified systems administrators. [Now] boards and responsible officers are starting to take cyber risk seriously,” Zongo says.

But he and others counsel CISOs against focusing only on what can go wrong: Fearmongering, they say, reinforces the old notion that the security function is a cost akin to insurance.

Chris Hughes, co-founder and CISO, Aquia Aquia

Chris Hughes, co-founder and CISO, Aquia

“CISOs should shift from antiquated tactics of utilizing fear, uncertainty, and doubt and instead paint an optimistic and uplifting message about the impact that cybersecurity can have on the business and more broadly the organization's customers and critical stakeholders,” says Chris Hughes, co-founder and CISO of software firm Aquia as well as an adjunct professor in cybersecurity at both Capitol Technology University and University of Maryland Global Campus.

“Cybersecurity incidents can have negative ramifications ranging from financial, regulatory, and reputational harm,” Hughes adds. “While it is key to keep this in mind, and remind your business peers, it also has a negative connotation associated with it. Instead shift the message to focus on enabling the business to function securely, maximizing value to the customers and stakeholders, ensuring their trust and loyalty and even utilizing a strong cybersecurity posture to be a key differentiator in the marketplace among your peers. Demonstrate how avoiding cybersecurity incidents can contribute to business growth.”

Quantify the value security delivers

The security chiefs who have broken free from the reputation of security as a cost center show the value they bring to the business, says Fred Rica, a principal in KPMG’s Advisory Services practice and a national cyber risk and threat intelligence leader at the firm.

“CISOs who earn the spot in the C-suite talk about business enablement, they talk about what they’re going to enable to happen,” he says.

Rica positions security as the brakes that let companies move fast safely, rather than being the emergency lever that slows—or shuts—everything down.

“You could drive your car without brakes, but I’m not sure that’s a car I want to drive,” he says.

As such, he says CISOs should stress how security lets customers interact with the business quickly and seamlessly knowing, should something pop up, that the brakes will keep them safe.

“CISOs, by doing that, are enabling the business,” he adds.

And the top ones know how to both articulate and quantify that.

Nigro, who is also the board vice chair for ISACA, acknowledges that calculating security’s value in real dollars is challenging for CISOs. Yet she insists it can—and should—be done.

“Quantify what’s going on, not just what it costs you, that’s what people already see,” she says.

Nigro gives a plug here to Douglas W. Hubbard’s book, How to Measure Anything: Finding the Value of Intangibles in Business. And she also advises CISOs to team up with their finance colleagues to develop the skills needed for the task; she herself leaned on a colleague who was an actuary to learn how to quantify her security function’s contributions.

Nigro worked for an insurance company that sought to offer insurance on an Affordable Care Act exchange; she calculated the cost of delivering the security required for participation as well as the revenue that would be lost during the upcoming year if her company didn’t have the necessary security in place by the participation deadline. That allowed her, she says, to present in financial terms how the price tag of security was dwarfed by the potential revenue that came with participation in the program.

Make security a differentiator

CISOs who pull all these strategies together are able to then position their organization’s security as a competitive differentiator that doesn’t just support the company’s agility but is actually essential to the company’s ability to respond quickly, says James Stanger, chief technology evangelist at CompTIA, a training and certification trade association.

“Now the CISO is the person who is brought in to build the foundation for an organization’s success,” he says. “The CISO is more strategy. The traditional idea was that the CISO [kept the company] from being hacked. Now the CISO is an enabler of expanding the business.”

CISOs today must positively shape how they and the security team are perceived by others within the organization. They need to collaborate with the business function leaders. They also must be able to assess and articulate risk and use those to value security’s contribution.

“The CISOs I see are good at communicating security as literally the foundation for operating the business,” Stanger says. “They know how to show it’s an opportunity center.”

Copyright © 2021 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022