Gartner projects that spending on information security and risk management products and services will grow 11.3% to reach more than $188.3 billion this year. But despite those expenditures, there have already been at least 13 major data breaches, including at Apple, Meta and Twitter.\n\nTo better focus security spend, some chief information security officers (CISOs) are shifting their risk assessments from IT systems to the data, applications, and processes that keep the business going.\n\n\u201cIf you look at security from a purely technical perspective, it\u2019s easy to get lost in, `I need to have this shiny object because everyone else has it,\u2019\u201d says David Christensen, VP and CISO at benefits administration software provider PlanSource. \u201cThe reality is often the most popular or well-known new security solution can waste money and slow the business, especially if it doesn\u2019t align with business goals. And even if it helps secure one part of the business, it may not be the part of the business or business process that creates the most risk or is most important.\u201d\n\nDon Pecha, CISO at managed services provider FNTS, agrees, adding: \u201cEach business unit of the company might have unique considerations, and unique compliance, regulatory, or privacy applications, and each business may have unique risks for the board or C-suite to consider.\u201d\n\nFrank Kim, CISO-in-residence at venture capital firm YL Ventures, and fellow at the SANS Institute, cites the case of one CISO who was fired after suggesting costly endpoint detection, and response and incident response programs considered not stage appropriate for such a startup. \u201cTheir focus was on survival and revenue growth,\u201d Kim says. \u201cHe didn\u2019t realize his job was not just to suggest a bunch of new security capabilities, but business enablement.\n\nA new definition of value\n\nAligning security with the business goes beyond traditional methods of justifying security spend, such as warning of consequences from hacks or trying to prove ROI. For internal enterprise security teams, Kim says to accept that security is a cost center and demonstrate how the CISO manages total cost of ownership over time. This might include updating CFOs and CEOs on specific cost reduction, such as reducing spend with a security vendor, finding a less expensive product to fill a security need, or improving internal metrics such as the average cost to mitigate a vulnerability, adds Tyson Kopczynski,SVP and CISO at financial services provider Oportun.\n\nChristensen further suggests explaining how security can cut costs or increase productivity. For example, he says, web application firewalls don\u2019t only protect applications but cut networking costs by reducing spurious and malicious traffic. Also, adopting zero-trust architecture and secure access service edge technologies can help boost productivity by freeing users from manually deploying virtual private networks to access resources or interrupt meetings when their VPN fails. \n\nKopczynski adds that CISOs can uncover such improvements with questions such as whether their organization is using all the functions in a security tool, if those features overlap with other tools, and whether the organization is paying too much for licenses or for too many licenses. Ways to maximize value include considering tools that perform multiple security functions, or running penetration tests, attack simulations, or offensive security campaigns that prove a tool can repel high impact attacks, he says. For example, he uses the Titaniam encryption engine to support several data protection use cases, as well as security tools provided by cloud providers such as Amazon and Microsoft. \u201cWe also look at generic cloud security solutions that provide multiple sets of protections, versus addressing one particular use case,\u201d he says.\n\nAt global marketing agency and consulting firm The Channel Company, security considerations are deeply embedded in business strategy and budgeting, says CIO Rik Wright. This ranges from the need to meet the European Union\u2019s GDPR to complying with security requirements from customers.\n\nAverting threats is also part of the security value equation at the firm, which uses managed services provider GreenPages both for infrastructure and to help meet its security needs. Wright says he\u2019s seen some companies spend potentially business threatening amounts up to $20 million after a ransomware attack, so preventing such losses, he says, represents very real value.\n\nUnderstanding business needs\n\nAligning security spend with business needs starts with understanding what is most important to business managers.\n\nKim recommends using a \u201crisk = impact x likelihood\u201d formula, and understanding on a scale of 1 to 10 what your most important processes and assets are. \u201cYour financial data might be a 10 but your HR data might be a seven as it\u2019s not a business differentiator,\u201d he says. \u201cJust using a simple scoring rubric to your risk calculation helps to bubble up what the priorities are.\u201d\n\nBesides business, Christensen says CISOs must also consult IT to understand the administrative burden a new security technology might impose, and all the areas in which a security tool could be used to maximize its value. He uses the Secure Web Gateway from dope.security to not only control access, but to understand what information and Web sites users are accessing, and the potential risks they expose the business to.\n\nIndustry standard frameworks can also provide a common language and structure for risk assessment, like the NIST (National Institute of Standards and Technology) cybersecurity framework. \u201cIt\u2019s simple enough that it\u2019s not necessary to be a security practitioner to understand it, but it models your maturity and helps to relate that to business stakeholders,\u201d says Christensen, adding it\u2019s also based on industry standards rather than the CISO\u2019s opinions, and is continually updated to reflect new risks.\n\nDifferent security frameworks are best for different industries, says Pecha. \u201cIf I\u2019m in government, I\u2019m going to align with NIST,\u201d he says. \u201cIf you\u2019re a global business, use the ISO\/IEC 27000 family of standards. It\u2019s not necessary to be certified, but be compliant and understand what the controls are in order to understand your partner\u2019s security needs as well as your own.\n\nScott Reynolds, senior security and network engineering manager for manufacturer Johns Manville, uses the ISA\/IEC 62443 standard to create a common understanding between business managers, security experts and suppliers about common terms such as the \u201czones\u201d of assets that share common security needs. \u201cThis process also shows we agree on the same level of risk for the entire zone, and not just each asset in the zone,\u201d he says. \u201cThe weakest link in the zone will impact all the assets within it.\u201d\n\nOver at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NIST\u2019s Cybersecurity Framework to measure the maturity of his security processes, and the Center for Internet Security\u2019s top security controls for specific tactical guidance, which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.\n\nApplying caution with benchmarks\n\nSeveral CISOs were skeptical about using benchmarks to compare their security spend with others. That\u2019s because, they say, companies may define security spend differently or have different needs. They also say benchmarks often don\u2019t describe how and why organizations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.\n\nBut Kim warns CISOs against refusing C-level requests for benchmarking. \u201cIt\u2019s not unreasonable to ask for a benchmark,\u201d he says. \u201cA chief financial officer couldn\u2019t say, \u2018We can\u2019t compare our earnings-per-share with others in the industry.\u2019\u201d Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organization faces, and how you\u2019re reducing the total cost of ownership of security over time.\n\n\u201cCISOs should describe current threats and attacks,\u201d says Pecha, and supply alternatives to remediate them. It\u2019s then up to the board and the C-suite to decide what\u2019s acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.\n\nInsisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, \u201cWithout fail, so far the business unit was actually driven to lower the risk themselves because they own it,\u201d he says. \n\nA business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. \u201cWith business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates,\u201d he says.