Most agree cybersecurity is an important priority for any agency or business, but it’s often difficult to prove that’s the case using hard data. It’s much easier for organizations to acknowledge the overall value of cyber risk management than to chart that value in terms of specific organizational goals, budgets and revenue.
Thankfully, that overall value is becoming easier to quantify, as the National Institute for Standards and Technology’s Cybersecurity Framework is helping codify standards, guidelines and best practices on flexible and cost-effective steps for protection and resilience amid cyber threats.
Still, a recent experience I had discussing this topic with a room full of executives reminded me just how eager the business community remains in trying to connect the dots between cyber risk investment and concrete business outcomes.
I was giving a talk at a George Mason University forum near Washington D.C. about cybersecurity governance and leadership. One slide in particular—judging by the amount of questions and follow-up conversations it prompted—seemed to stand out. It was a grid of itemized security investments and how those investments related to…
