The Value Of What You Do

Several pieces in last week's The Wall Street Journal touched on the business of cybersecurity. A significant theme was that cybersecurity personnel (undefined) need to "show their worth" in the new year to maintain their jobs, their programs, etc.

We talk a lot here about exactly this: you must be able to translate your cybersecurity work to the language of business. That is why cybersecurity is a line of business much like manufacturing, sales, etc.: all lines of business have a profit and loss calculus. If you don't know what that is for your cybersecurity team then your job is at risk, and so maybe is your entire function. 

Think of it this way. The organization needs cybersecurity. It's a function that could be outsourced at a known rate and leadership knows what it's buying, you not included.

That means you need to answer two questions. 

First, the language of business is what your net profit and functional contributions are to the business. So, what are they?

A simplistic though accurate way to look at your or your program's functional contributions is to count events: trainings given to the organization, certificates gained by cybersecurity staff, number of intrusions identified and defeated, software threats countered, etc. Don't overlook these but remember that activity is not effectiveness.

In cybersecurity as in intelligence work and law enforcement (sometimes), a better metric is strategic: identification of risk vectors, coordination with partners, system upgrades, etc. These are also countable activities but they are strategic and not tactical. 

So far so good. OK now let's talk money.

A highly simplistic but widely used metric to assess overall organizational health is to calculate and track revenue per employee. This makes sense at a macro level: if your headcount is high then your revenue per employee goes down. But in cybersecurity you don't sell things (though you might have a reimbursable business function, i.e. you support your cybersecurity function by selling its time to other business units). What if you created or adapted a function per employee approach for your line of business? Call it services per employee. Now you can tie countable activities to headcount. You could weight them by category -- support, inventorying, interventions, etc. And then it's a short step to costing your function.

Quickly this becomes a process of identifying your cybersecurity function's core role and the activities it will take to support that role. You can track it. It's now part of the team's health and a dollar-valued metric indicating the business line's contribution to the organization.

Second question: what incremental value do you bring as an employee/manager/executive? The MBAs refer to that as your "alpha." The answer is up to you to explain.

Ask us how you can show the value of your cybersecurity work, your cybersecurity team's work, or your line of business' worth.