The Business Case for Cybersecurity Performance Management in Financial Services

According to the 2022 Verizon Data Breach Investigation Report (DBIR), data breaches caused by ransomware has almost quintupled, rising from 5% to over 25%. Additionally, the cost of data breaches has risen drastically in recent years. In 2021, the cost of a data breach has risen to $4.24 million on average, an increase of over 10% according to IBM. Risk is not a foreign concept for anyone in the financial industry, but in recent years cybersecurity risk has become a preeminent priority among financial service companies. Increased regulatory scrutiny and the steadfast presence of online banking has forced the industry to prioritize cyber security as a central pillar of its business calculus. In a hearing of the House Financial Services Committee with the CEOs of the top 6 U.S. banks, four executives reiterated that cyber security is their top priority. With how heavily data breaches can harm a banks reputation, and how important consumer trust is in banking decisions, it’s no surprise that the risk demands their utmost attention.

Risk is a natural extension of providing financial services to customers. A big mistake that we often see businesses make is a misunderstanding of cybersecurity risk. Some businesses imagine cybersecurity as an immutable cost center, a black box that eats all of the budget spend you can stomach throwing into it for no perceived return on investment. This just isn’t the case; in just about every aspect that matters, cyber security risk is business risk.

This means that cybersecurity risk can be quantified, mitigated, and documented like any other business risk. It’s not easy, and the mitigations are different, but it’s an accomplishable task that should be implemented throughout the organizational structure. The answer, in this case, is cyber security performance management.

Cyber security Performance Management 

Cyber security Performance Management (CPM), simply put, is the process of managing cyber security performance by utilizing KPIs to track meaningful cyber security metrics that allow decision makers to strategically allocate budgetary resources to best mitigate cyber security risk. At present, businesses are dumping endless amounts of resources into the latest tools and software suites without considering the realistic return on their investment. CPM relies on visibility into continuous performance against goals along with measures of consistency to create tremendous new understanding around risk, providing for data driven decision making that can truly improve security and curb excess spend.

This kind of insight that CPM provides revolutionizes the way that organizations manage cyber security in support of the business. Incorporating cyber security risk into existing organizational risk management processes provides a structured and healthy way to identify and manage cyber security risk. CPM and risk management then provide a cyclical system; the risk management process identifies risk, and CPM provides the tools to target specific metrics that reduce risk.

This new visibility into cyber security performance against goals along with measures of consistency and coverage creates tremendous new understanding around risk, providing for data driven decision making that can truly improve security and curb excess spend. Being able to make quantitative decisions based on real-world performance data is a powerful tool in increasing operational efficiency. This visibility allows you to effectively target your weakest performing metrics and dramatically strengthen your baseline cyber security performance without falling into the trap of ballooning cyber security budgets. Best of all, it becomes possible to see and measure the impact of cyber security improvement in real time. Being able to prove to board members, executives, and stakeholders the tangible return on their investment in security is key to getting cyber security buy-in with all stakeholders.

How you can implement CPM 

At its heart, performance management doesn’t tie you in to any specific vendor or ecosystem. It’s a process, not a product. But there are tools that greatly increase the efficacy of any performance management program, and it all comes down to automation. Automation lies at the heart of CPM. The best way to kickstart any kind of performance management program is to automate the collection, aggregation, and reporting of relevant KPIs. That’s no different with CPM, where automating the gathering of cyber security performance indicators (CPIs) is crucial in making the best strategic decisions to reduce business risk. The goal is to tie together as many of your existing security tools as you can into one convenient place where you can run analytics against past and current data. This automation can be done by creating custom tools, but it’s not always maintainable when all it takes is one or two updates to an API endpoint to break your reporting tools.