Define Business Value for Security Programs

One prominent area where security programs often struggle is when the security team must demonstrate the business outcomes achieved for the organization. While framing each security conversation around security outcomes can gain buy-in from across the business, how can security teams actually defend that value?

The lack of connection between traditional business performance standards and those employed by many security teams results in underfunded and undervalued capabilities that only get attention when the worst happens: a data breach.

When the spotlight is finally turned on the security program after a breach, individuals typically pay the price because business leadership assumes they were ineffective at their jobs. In fact, many breaches occur in organizations that have invested heavily in technology and people but disregarded focusing on, reporting on, and delivering business-level outcomes.

So, today, we’re taking a step back and evaluating the categorization of 97 Detection and Response (D&R) program outcomes and 73 Attack Surface Management (ASM) outcomes that Rapid7’s User Experience (UX) research and surveying uncovered for us.

First, you might be asking what we mean by “outcome”. In short, it’s the desired result that someone must achieve in a certain period of time and can be measured by a quantifiable or qualitative value. More specifically, each outcome is structured like this:

Next, we classified all the outcomes according to three categories we feel represent the core measurements of business:

1. Value: What is it that the organization is doing that is generating value (and that customers are paying for)?
2. Effectiveness: What are we doing to be the best at the value we’re generating (and that customers are paying for)?
3. Efficiency: How are we spending as little as possible to deliver the best value?

Make money, be No. 1, and minimize costs—the recipe to any successful business.

Full article