Source: CSO Magazine On:
Security executive Ricardo González doesn’t see IT security as a cost center; instead, he describes it as “a strategic investment in reduction of corporate risk, and a positive contribution to the realization of business value.”
That’s something the whole C-suite can get behind. Yet it’s a perspective that has only starting gain ground as CISOs and their security team mature into their roles as fully vested executive leaders.
Indeed, González, head of operational risk and control as well as business resilience manager for Zurich Spain, part of the international insurance company, says more CISOs are sharing his perspective – and looking to quantify their value.
“CISOs are increasingly concerning themselves about measuring their contribution,” he says.
It’s an important and worthwhile ambition, but many CISOs struggle with how to articulate in financial terms what, and how much, security delivers to the organization. Yet experts say it should still be done.
“Demonstrating business value can be much easier for sales, production, procurement, even for IT. But for functions such as compliance, risk management or information security demonstrating value is far more challenging, therefore it is more important to make it,” González says. “Professionals in those areas usually fall for the temptation of thinking they are simply ‘necessary’ somehow, part of the cost of doing business. This is a mistake. You should help achieve business goals, topline and bottom-line, as effectively as possible, with the least waste possible. And if nobody else is measuring your contribution, then you should be the one to worry about how to do it best.”
This is new territory for CISOs, who have traditionally focused on measuring tactical improvements such as the number of patches implemented or denial-of-service attacks blocked. It’s also particularly challenging, as calculating ROIs on security investments has been notoriously difficult to calculate. After all, how does one put a price tag on the absence of something bad doesn’t happen?