The ‘value’ of cybersecurity comes from the losses that have been prevented as a result of its implementation.
A risk and investment perspective frames cybersecurity as an operational risk and aims to attach a measurable metric to any risks associated with it. As you can only measure losses incurred from attacks and breaches, this makes it a challenge to quantify cybersecurity through traditional means, as there is no clear return on investment. A direct consequence of this is that although everyone can agree on its importance, disagreements can often arise on whether an appropriate budget has been allocated or whether current spending has been effective.
Most businesses however already have a team whose tasks revolve around measuring difficult to quantify risks – Namely their risk management department. In fact, statistical methods have been previously proposed in an RSA conference on how this could be carried out.
It is often the case though that those in charge of information security, work independently from risk management. The cooperation between these two teams can provide crucial information needed for bodies (say a board of directors) to make better decisions on budget allocation, as well as the necessary metrics needed to evaluate the effectiveness of current spending.
Throughout this series, we have discussed different perspectives one can take on cybersecurity. Although we have mentioned what each perspective can and cannot do, it is important to remember that adopting one does not stop you from also adopting another simultaneously. Due to its extensive nature, challenges in cybersecurity can manifest themselves in a myriad of different ways. Every so often, a change of perspective is all that is needed to provide the necessary insight to tackle a seemingly unsolvable challenge.