There are three considerations for valuation of a security program:
Security effectiveness: Is it doing its job? That is, how effective is the program at security?
Business support: Is it enabling business? How well is the program is aligned with business needs and performance?
Cost efficiencies: Is there a cheaper way? Are we spending too little, or too much? How do we know? What are the other people doing?
Figuring out how to measure security effectiveness, business value, and associated spending can be difficult. There have been attempts to provide guidance from standards bodies, but they don't provide much utility. Traditional business quantification and valuation methods work fine, if correctly applied, but are frequently an unknown to security personnel. Capitalizing on the knowledge contained on the business side of the house provides two advantages: it reuses known capabilities, and it integrates communication about security efficiencies and effectiveness into the business thinking.
A program's effectiveness is measured using security performance criteria. Identifying those criteria should begin with alignment to a performance framework (ISO/NIST) for ease of program management. Without a framework of some sort we may miss important items or lose direction. It continues with identification of enhancements that improve the processes, quantified in a maturity indicator based on common practices and external performance comparisons. Simply put, how well is security doing its job, usually documented with the security annual audit to the selected standard. The metrics we are interested in are three-fold:
The correct identification and enumeration of security requirements, to avoid gaps.
The process performance metrics and maturity, particularly derived metrics that indicate changes in process quality.
The cost metrics, both in terms of the process execution and support costs. Also used to identify optimization opportunities.
Ideally, processes run at peak efficiency, providing the best results obtainable for the price we are willing to pay. Inefficient processes increase risk or waste money.
We want to be watchful for any security and privacy options that have a cost but also provide an increase in operational efficiency at a business level. These are the business enhancement opportunities and must be identified as they directly affect competition.
We identify the results we want, the quality range we can tolerate, and the price we are willing to pay. And in order to do that, we need to understand the risk security failures pose to the business.
The business production costs need to be identified, if they haven't already been used as part of normal business process management. These figures are used to analyze business risk and identify threats and actors that carry out threats. The resulting catalog of potential bad events and the magnitude of the impact tells us how much effort is justified in trying to reduce the risk. We can then identify controls that have calculable costs and match them to business processes to tell us which security controls require how much support.
It is vital that this identification process be driven by the business and not security because security and business may have wildly differing views on the importance of certain aspects of business processes and security needs. What security perceives as a vital process and what business perceives as a vital security service may be completely at odds, so communication is essential. Because the identification activities align very well with annual DR/BCP planning and testing, they can be efficiently incorporated into those business processes. This ensures security (and IT) are relying on business input for their protection implementation.
In most cases, the indicated controls can be broadly applied, and one justified cost for a single critical process can be used to support several business processes. Use of a matrix is useful, and the security audit matrix used for the annual assessment can be easily extended to incorporate this relationship and link into the identified risk register for ease of use by all parties.
The importance of linking security controls to business benefit is essential for financial justification, but more importantly from our perspective, supports the concept of business driving security.
Cost effectiveness is simply the knowledge that what we are doing cannot be done more cost effectively. We are interested in the prices of the materials for the activities and the associated manpower requirements, but also need to note any associated costs and benefits. Sometimes a choice we make in security has dependencies, for example, if we replace Windows with Linux. The business wants to ensure it is making good purchasing choices and efficiently utilizing resources.
The first measure is simple and relates to the cost of the solution. Did we correctly identify and select the best choice, fiscally. The business has input, and the supporting technologies and personnel requirements all figure in. Resource utilization efficiencies is one aspect, and personnel optimization is a quantifiable aspect, with outsourcing being the most basic form of cost optimization. However, technical operational improvements that reduce manpower needs overall, are superior and where big gains can be made by simply selecting more efficient modern technology over legacy tech-debt.
The second cost metrics are more difficult because they require us to measure the implementation success and examine accountability. This means using a project review process, typically only used for critical projects and large purchases, to identify mistakes that manifest after the purchase. Implementation difficulties and rising project costs may indicate a mistake was made in the pre-purchasing phases of vendor selection or requirements identification. If you hear the expression "shift-left" it is referring to process controls that attempt to ensure any mistake is identified early in that process and does not manifest during implementation or worse, operations, when it is far more costly to repair.
Where is the Business Value?
All too frequently in security audits, the process or personnel are weak and fail to provide business performance input. We settle for a satisfactory report and generic improvement suggestions to minimize the work and get on with "more important" things. This is a disservice to the business. As outlined above, audits and reviews are an opportunity to use time spent on compliance providing additional value through inspection of business alignment. Any security audit can provide business value using the above criteria exceeding the cost of the audit itself. If you are spending money on security certifications or audits, be sure to get your money's worth.