Cybersecurity is always a controversial problem. No one wants to mess with cybersecurity! But, what is the business value of security investments? How do you measure success? Let me provoke the debate: what does cybersecurity mean to you? What do you value for the security initiatives? Do other stakeholders agree with you?
Describing the business value of initiatives was much easier in the old days when things were static and stable. Those were the days when the popular enterprise/security architecture frameworks endorsed top-down planning and design: always start with the business. The TOGAF Architecture Development Method (ADM) establishes the business context (business directives, business principles, business goals, business drivers) in Phase-A, Architecture Vision, and then continues with modeling the Business Architecture in Phase-B. Likewise, the SABSA Business Attribute Profiling exercise pursues "business requirements" and "business drivers for security" for the Strategy & Planning phase. The SABSA Whitepaper states: “business requirements are the primary driver for developing effective information security solutions”
However, the agile enterprise of the digital era has a prevalent problem: a clear or complete set of business requirements cannot be obtained upfront due to the uncertainty of the business environment. Further to that, key business stakeholders may not be able to determine or articulate business requirements and priorities clearly. Enterprise strategist Mark Schwartz discusses in his book The Art of Business Value: “business value may not be obvious, it must be discovered”. Interestingly, he also notes: “It is not just discovering or interpreting what the business values. It is also to help the business determine what it values”. I believe he refers to the bottom-up approach here to emerge business value. I often witness ambiguity and controversies over agreeing on the business value of the initiatives and priorities – particularly for cybersecurity! It seems that business stakeholders need help to determine what to value for cybersecurity.
Cybersecurity has always been a controversial problem. No one wants to mess with cybersecurity! But, what is the business value of security investments? How do you measure success? Let me provoke the debate: what does cybersecurity mean to you? What do you value for the security initiatives? Do other stakeholders agree with you?
Okay, my point here is that the meaning of cybersecurity varies for different stakeholders in enterprise organizations. The paradigms of the people determine the views, which is influenced by a complex mix of factors: the operating markets of the organization, the stakeholder's role in the organization, and his/her interpretation of business value for the mission of the organization, etc.
Value Stream Mapping is the DevOps technique, originated from the Lean movement, used to analyze the activities in the delivery of a product or service. In short, this exercise brings key stakeholders together, visualizes all core activities, and looks for inefficiencies and improvement opportunities, all with the aim of building a shared understanding, a common ground, to make sure that what everyone doing is adding value towards the goals of the organization. Dr. Mik Kersten, the creator of the Flow Framework for value stream management, categorizes the distribution of demands from different stakeholders as flow items: features/defects/risks/debts. With some inspiration from his work, I defined four cybersecurity traits contributing to business value:
Cybersecurity could manifest as a feature that delivers business functionality. A business differentiator, competitive advantage, possibly revenue-generating. It is visible to the customer as they pull value. Imagine the security features for an online banking service.
It could manifest as a quality factor for reliability. It is non-functional, perhaps no direct or visible business value, but absence might disrupt customer experience and undermine value realization. Security attributes of online shopping or social media services could be examples.
It could manifest as a compliance requirement; regulation or legislation by the authority. For example, PCI-DSS, GDPR, or simply organizational security policies.
It could be just a risk-reducing initiative: reducing the possibility of something bad happening. The complex calculation of impact and likelihood. Would you take your chances? Who are the adversaries? How likely attacks might happen? Are countermeasures effective? etc.
Dr. Kersten suggests product value streams should have a healthy and dynamic mix of the flow items for the delivery of business value. Similarly, Mr. Schwartz refers to business value in his book: “this is not a single plan of activities, but rather a set of indicators that will add up to the desired goal; perhaps some revenue generation, some customer satisfaction, some risk management, some brand building”. This is a great anchor for cybersecurity as we need a balanced contribution of each of the cybersecurity traits.
I believe that categorizing cybersecurity services as per this model could help stakeholder communication, improve cybersecurity understanding, and support decision making for the cybersecurity initiatives within the product value streams. I accept that any particular cybersecurity service can be linked to each or any of these traits, though I tend to pick the predominant trait to represent each cybersecurity service in the product value stream.
A common cybersecurity services taxonomy across the organization would provide the required abstraction layer encapsulating the downstream technologies, tools, processes, and activities of teams. Hence, security initiatives can also emerge bottom-up in uncertain business environments, presented to all with shared meanings (feature/quality/risk/compliance), and the stakeholders at all levels can be aligned towards the business goals of the organization.
P.S. For those interested, I also worked on a Reference Model for the taxonomy of cybersecurity services here.