What's Your Cybersecurity P&L?

Here is some basic 'business 101' stuff:

Organizational business units cost money and at the same time so something of value for the organization. Business units stay in operation when they create more value for the organization than it costs to run the business unit. Outputs beyond costs are profit, while expenses beyond output are losses. All business unit leaders should know their function's profit and loss, or P&L (sometimes it's written PnL).

Any organization's cybersecurity function is a business unit. It has a P&L. Put differently, it must have a P&L. 

What's your cybersecurity P&L? 

Almost certainly the nontechnical executive leaders in your organization know what it costs to run your cybersecurity function. That's (financial) "loss." Do they know whether it has a profit? 

We've mentioned before, even recently, the need for cybersecurity leaders to develop business concepts and adapt business jargon to describe what the cybersecurity function does and is and why it costs (so much) money. 

When you develop these concepts and adapt the lingo, you're a business partner. Until then you're a cost center. What's the difference? Business partners contribute value (the 'P' part) to the organization and get a chance to build up. Cost centers are reduced -- i.e. outsourced -- to save money.

It can be disorienting for highly skilled technical professionals to move into operational leadership because of all that icky people stuff. It turns out that you're now someone's boss, not their buddy. And if your organization doesn't understand that it should promote based on leadership talent and not technical skill, they're setting you up for failure.

Part of that 'leadership talent' is understanding your group's P&L. 

Then, moving up from operational leadership to business leadership is a significant turning point in anyone's career. In cybersecurity, this means you move from leading the technical function to being a trusted advisor to nontechnical leaders and the Board. At that point it's all about converging on return on investment -- even in cybersecurity.

You might not want to do that, and that's OK. Just be clear about your direction and the expectations of your own leaders. Also, you should adjust your expectations...and polish up that résumé...and then when you apply for new jobs, they will ask you about your accomplishments at your current job. They will want to hear, in other words, about your P&L.

Ask us how you can start developing a cybersecurity P&L.