Showing how security helps business achieve its objectives is a two-step process: Speak the language of business and do cost-benefit analyses that prove value returned. Credit: Prostock Studio / Getty Images It is a common refrain among senior folks in enterprise cybersecurity: “We have to learn to align with the business.” Unfortunately, it seems like we spend most of our time trying to get the business to “align with cybersecurity” and become frustrated when they don’t or can’t. Part of the reason is that we often don’t want to (or can’t) speak like the business. The reality is that cybersecurity is a cost center in organizations. Not only that, it is a cost center where it can be extremely difficult to recognize the value, of which there is plenty. (See my previous article on board-level cybersecurity metrics.)Two steps to align cybersecurity with the businessAt a basic level, aligning with the business is a two-step process. Step one is to understand their language. The lingua franca of all enterprises is finance, and this can often pose our biggest challenge. Most industries have their own measures of cost effectiveness—think sales per square foot in retail or treatment cost per patient in healthcare. In cybersecurity, we need to act like any other department or line of business in the organization. That brings us to part two.The second step is to develop methods and metrics to determine benefit-cost analysis and return on investment in a value (not profit) way. This can start by calculating costs using cost accounting methods like activity-based costing and evaluating investments using breakeven analysis. It can be as simple as determining the amount being spent and qualitatively determining whether the investment “is worth it”—something you do implicitly already but probably not explicitly. At that point, you have also reached the lower bounds of the risk you are reducing. If it is “worth it” to spend $1 million on a solution, then you are expecting to reduce risk by at least that amount. People often get nervous when I suggest that these lower bounds also apply to the collective amount of cybersecurity spending in an organization. (Those really interested should look up the concept of “willingness-to-pay” in economics handbooks.) Once you have the basic financial information, things get really exciting. You can start looking at financial ratios like cost-per-control, cost-per-session, loss-to-value ratio and more. I once heard a CISO on stage at a conference say he would spend “whatever it takes” to be secure. I’m here to tell you that is ridiculous and a cop-out. Look, I get the sentiment in an emotional sense, but this type of thinking can be extremely destructive and contrary to any business alignment opportunities out there. Understanding financial impact in cybersecurity can be challenging. (Hey, human resources probably has it even worse.) Related content brandpost Sponsored by Microsoft Security What will cyber threats look like in 2024? Analyzing incidents in the past will help advise a stronger cybersecurity strategy in the future—2024 and beyond. By Microsoft Security Apr 24, 2024 5 mins Security news analysis How the ToddyCat threat group sets up backup traffic tunnels into victim networks The Chinese APT group is using a variety of tools to infiltrate networks and steal large amounts of data. By Lucian Constantin Apr 24, 2024 6 mins Advanced Persistent Threats Threat and Vulnerability Management Network Security news New OT security service can help secure against critical systems attacks Critical Start’s new offering is designed to handle security teams with specialized detection and response tooling for operational technology systems. By Shweta Sharma Apr 24, 2024 3 mins Security Software feature What is biometrics? 10 physical and behavioral identifiers that can be used for authentication Biometrics has the potential to make authentication dramatically faster, easier and more secure than traditional passwords, but companies need to be careful about the biometric data they collect. By Maria Korolov Apr 24, 2024 14 mins Biometrics Authentication Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe