Cybersecurity never stops evolving, which leaves many CIOs, executives, and board members constantly wondering how many safeguards are needed to protect their organizations. All too often, cybersecurity is treated as a siloed issue that only technology experts need to worry about and that is best addressed by a “more is better” approach. This needn’t be the case. By optimizing cybersecurity risk assessment in a business context—through the lens of stakeholder needs—CIOs can create a powerful model to drive decisions related to prioritization and investments. It is particularly useful in developing and presenting cybersecurity business cases, committee reviews, funding requests, and board reporting. Risk-optimized decisions will help an organization accurately settle on how much security is enough.
As the chart above shows, the optimized risk zone suggests that higher risk is more credible and defensible when value is low. When value is high, lower risk is necessary to be credible and defensible through a stakeholder lens. Treating risk generally increases cost and the inclusion of cost also supports business decision making. By following guidelines like these, CIOs can learn to deliver maximum value for stakeholders through risk, value, and cost (RVC) optimization. Is your business prepared to make these decisions?
Optimize Risk, Value and Cost in Cybersecurity and Technology Risk, Paul Proctor, Refreshed 2 August 2021, Published 12 February 2020.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from TriCom Technical Services.