Delivering Business Value through Cybersecurity Investments

According to the 2022 Gartner IT Budget and Efficiency Benchmark, cybersecurity is the No. 1 spend item in the IT budget, and it remains a board-level concern. But spending does not always equal cybersecurity protection. CIOs and CISOs can make a difference by demonstrating how investments in security can create business value. 

Recently, CIOs and CISOs in Pittsburgh joined a Town Hall discussion on how to ensure security investments are aligned to the organization’s goals. Evanta Governing Body members Michael Simmons, Vice President and Chief Information Security Officer and Technology Operations at Dick's Sporting Goods; Lisa Biondi, CIO at System One; Kathleen Lovett, Vice President and Chief Information Officer, Supply Chain at VSP Global; and Peter Zwieryznski, Director of Information Security, at Koppers Holdings led the discussion.

Governing Body member Michael Simmons kicked off the discussion by noting that cybersecurity strategies is the number one topic for CIOs this year based on Evanta’s annual Leadership Perspective Survey among members. Michael shared how he approaches cybersecurity investments, measurement, and communications about risk. 

CIOs and CISOs joined small breakout groups to share strategies on choosing the right investments to deliver value to the business, transitioning to outcome-driven metrics when talking about security, and communicating with the board about cybersecurity in a business-driven way.
 

Key Takeaways from the Discussion

• Budgets are tightening, but CIOs and CISOs can get what they need for security.

While IT and security leaders find that budgets are tighter this year – and there is more scrutiny on spending – they are still able to get what they need. The scrutiny is around how the vendors and resources are performing, and it’s important for CIOs and CISOs to demonstrate ROI. One executive said, “We have plenty of tools and technology – we need to maximize what we have and not chase new things.” Another executive noted that increased regulations are helping to drive priorities and investments needed to mitigate risks.

• Benchmarks are key when it comes to establishing metrics.

Many executives reported that benchmarking has helped when it comes to security investments, such as showing their spending against revenue or versus their technology investments as a whole. One leader said that it’s useful to compare spending to other organizations or their industry. Another noted that vendors can help consolidate metrics from different platforms or consolidate the view about their organization’s performance.

• Differentiate messages and metrics for the board and other stakeholders.

CIOs and CISOs agreed that it’s important to get to know your board, their understanding of security, and the level of information they might be looking for when communicating to them about cyber risk. One executive suggested offering them insights on global and national trends, plus what’s happening in the organization. Another noted that board members have different “risk tolerance levels,” so it might be helpful to provide a perspective based on risks and the progress being made or yet to be made.

While it’s not easy to select cybersecurity investments while budgets are being closely watched, IT and security leaders are pivoting to show the business value of their spending priorities. They understand the need to focus on outcome-driven metrics and business-driven communications. 

To join a conversation with peers on top priorities for CIOs and CISOs, like cybersecurity strategies and investments, connect with your local Evanta Community, or see when your local CIO and CISO community is gathering next here.