Gartner Report®: Optimize Risk, Value and Cost in Cybersecurity and Technology Risk

Cybersecurity never stops evolving, which leaves many CIOs, executives, and board members constantly wondering how many safeguards are needed to protect their organizations. All too often, cybersecurity is treated as a siloed issue that only technology experts need to worry about and that is best addressed by a “more is better” approach. This needn’t be the case. By optimizing cybersecurity risk assessment in a business context—through the lens of stakeholder needs—CIOs can create a powerful model to drive decisions related to prioritization and investments. It is particularly useful in developing and presenting cybersecurity business cases, committee reviews, funding requests, and board reporting. Risk-optimized decisions will help an organization accurately settle on how much security is enough.

As the chart above shows, the optimized risk zone suggests that higher risk is more credible and defensible when value is low. When value is high, lower risk is necessary to be credible and defensible through a stakeholder lens. Treating risk generally increases cost and the inclusion of cost also supports business decision making. By following guidelines like these, CIOs can learn to deliver maximum value for stakeholders through risk, value, and cost (RVC) optimization. Is your business prepared to make these decisions?