Such chief information security officers go beyond defending their organization’s business value — by creating value with their cyber pizzazz

EY studies have seen up to 79% of respondents indicating that it took them six months or longer to detect and respond to a cybersecurity incident. Just one in five considered their cybersecurity effective today and well-positioned for tomorrow.

While the financial, regulatory, and reputational impacts grow, cybersecurity budgets in the Asia Pacific region are not keeping pace.

So, how do CISOs build a case for investment? How do they create a compelling story around cybersecurity when the infrastructure is invisible, and the measure of cybersecurity success is “nothing happened”?

Speaking the language of business

Organizations with the most effective cybersecurity shared several key characteristics. We call this group “secure creators” because they have fewer cyber incidents, were quicker to detect and respond when they did, and had translated cybersecurity into a value creator rather than an inhibitor.

Secure creators behave differently in three specific ways.

    • They are quick to adopt emerging technology and use automation to streamline processes.
    • They have specific strategies to manage complex attack surfaces. Most importantly, in the context of budgets
    • They build bridges across their organization: the C-suite, the cybersecurity team, and the broader workforce — by speaking the language of business.

The most successful CISOs we have come across can tell a story that resonates with their business in terms of risk buydown, business impact, and value creation.

Some CISOs build actuarial models to quantify the risks of underinvestment. If a threat materializes, what is the dollar impact of systems going offline? How does that translate into lost customers, brand damage, regulatory fines, or lower transaction revenue?

By quantifying the cyber risk, these CISOs can then demonstrate how investment in cyber capabilities will reduce those risks. 

Another way to capture the attention CFO) and the Board is by benchmarking a company against its industry peers. A big gap between a business and best practice can be perceived as a dereliction of duty, especially if investors and regulators start asking questions in the wake of a cyber incident. Just a simple (multimedia) graph to highlight urgent cybersecurity gaps can capture the board’s attention and bolster a cyber budget in a matter of minutes.

Jeremy Pizzala, Cybersecurity Consulting Leader (Asia Pacific), EY

From value defender to value creation

Our research commonly sees CISO respondents being less likely to be satisfied with the effectiveness of their organization’s cybersecurity approach than the C-suite respondents. This suggests CISOs have an important role to play in bridging knowledge gaps across their organizations.

To do that, CISOs need to overcome the perception that they are a business blocker. In organizations that we deem as secure creators, cybersecurity is recognized as fundamental to business resilience, reputation, and compliance. 

Done well, cybersecurity is not just about value protection. It is also about value creation. What does this look like?

    • CISOs in these “secure creator” firms help their businesses move faster on the digital journey by being there from the beginning of every project. Rather than retrofitting security tools around existing systems or ticking off items from compliance checklists, cybersecurity is embedded into every new initiative from the outset.
    • We call this “Security by Design”: the security-first approach builds trust, which in turn creates new value.
    • What does this value look like? It may be that customers and suppliers are more confident in transacting with your business or that you are better able to harness the benefits of ecosystems without worrying about potential risks.

Importantly, these effective CISOs establish the guardrails and protections that allow business functions to focus on new ideas rather than be distracted by other routine concerns. In doing so, secure creator firms pivot from seeing cybersecurity as a cost center to seeing the critical function as a value creator.

Communicate that to your CFO and watch your cyber budget grow.