Kathy Gibson is at Gartner Symposium in Cape Town – As the threat of cybersecurity becomes more visible, CIOs are finally getting more budget to address threats.
“The reality, though, is that it is still a grudge spend,” says Tom Scholtz, vice-president and Gartner Fellow at Gartner. “Spending on security does not drive revenue and is always a cost.”
CIOs still have to justify their spend, to its difficult to quantify the value.
Paramount is the issue of credibility, so CIOs must establish an effective working relationship with the business, based on governance, relationships and feedback.
The actual value of security has to be communicated in business terms, but CIOs must be careful of using unsubstantiated ROI arguments.
The key starting point is to understand the business strategy and make sure the security strategy maps to this. They should also strive to understand the business environment, the business risk and its risk appetite.
Executing on this in practice starts with establishing governance.
The next step is to establish channels of communication by identifying key stakeholders then using meetings, presentations and documentation to guide users and build relationships.
Once credibility and support has been established, it needs to be maintained – and the best way to do this is to demonstrate results of the security strategy.
Gartner recommends communicating the business value of the programme revolves around articulating the business value through the 4I model, capturing the business drivers and mapping these drivers to value categories an actions.
The 4Is are integrity, investment, insurance and indemnity
Integrity is about the reliability of business operations, investment is the expected return, indemnity is the regulatory and shareholder exposure, and insurance relates to risk management.
Importantly, CIOs have to identify the business drivers that are unique to their specific organisation.
“These drivers will impact how technology and information will be used in the organisation, and so there will be an impact from the security perspective,” Scholtz points out.
“Regardless of what methodology you use, understanding your organisation’s business drivers is vital. Your organisation has strategies and these will define the drivers.”
Having determined the drivers and business values, these should be mapped to actions, Scholtz explains.
This will reflect what needs to be done, why it needs to be done and the benefits that can be expected.
Possibly the most difficult part of the plan, though, is communicating it.
Scholtz recommends tailoring the communication format to the audience preference, to road test it with a business colleague, to temper it to reflect cultural and personal realities, and to keep it short.
When seeking support for projects, it’s useful for CIOs to present cost-benefit analyses, Scholtz adds.
He recommends that they take a balanced approach that recognises that the business view of ROI is always financial.
Because security and compliance measures are to prevent or mitigate future negative events, it is difficult to proactively quantify the financial impact of these events.
So the expected value of any investment should be articulated as risk reduction, intangible benefits and ROI where it’s appropriate.
To maintain credibility, feedback is useful. This should include information such as which expected benefits were realised and which weren’t, and whether there were unexpected benefits.