How to Communicate Cybersecurity ROI
Communicating with the board is often a challenge for CISOs. How can they improve communication and justify more investment in cybersecurity?
The World Economic Forum declared cyberattacks are the second most common risk for companies in this decade. However, as companies adopt new technologies and revamp their old processes to take part in the digital transformation, advocating for more cybersecurity investment in your larger organization is not an easy task.
First, it is difficult to explain how certain technical risks could impact the business of companies. For example: “Is this one vulnerability enough to disrupt the activities of the entire organization?” A lot of board executives have the inclination of making a one-time big investment into a cybersecurity program, thinking this will have them covered for years. When in reality, cybersecurity is a constant battle against threat actors, and alongside digitalization, demands a consistent budget commitment.
Second, it is also a challenge to measure the level of cybersecurity of one’s organization in a quantitative manner. CISOs are responsible to demonstrate to the board of directors of their company the effective Return on Investment (ROI) of the cybersecurity solutions they want to implement. How can they prove they are correctly allocating the company’s resources, minimizing real risks to the organization, and enabling business objectives?
Those are tough questions to answer. Two weeks away from the Global Cyber Conference (GCC), we have gathered the insights of leading industry experts and conference speakers to shed some light on this topic.
Table of Contents
Contextualize ROI in your company
Bart Kulach is the Chief Information Officer at NN Life and Pensions Turkey. His main advice is to make sure that you explain business risks and mitigation strategies in terms your board of directors will understand, ensuring that all parties are aligned. According to him, “security, just like infrastructure or any technology investments, should always be linked to specific business goals or benefits.”
From a business perspective, numbers are great. But it’s important to note that just adding some key performance indicators (KPIs) that prove effective cybersecurity control monitoring (such as Patching Cadence, Mean Time to Detect, or Mean Time to Resolve) might not instantly make a lot of sense to boards that are not yet used to cybersecurity.
Kulach’s preferred method when it comes to discussing security-related expenditure with business stakeholders is “to show a concrete amount of potential losses that can be avoided if we invest properly in specific security initiatives,” he says, “or by presenting non-financial benefits like increased reliability, availability…”
Brett Conlon, the CISO at American Century Investments, agrees with Kulach in the sense that security needs to talk in the same language as a business. “Good security is good for the bottom line and the management needs to understand that,” he says. “Talking about vulnerability management isn’t relatable but discussing security and its competitive advantage is the right approach.”
Talk business & use a case study
How much budget should be allocated to security? In this CyberInsights blog, our partner DCG suggests that it is advisable to allocate around 20 percent of the overall IT budget to cybersecurity. However, since the amount of damage of a cyber attack always depends on multiple variables, they suggest the best way to calculate the ROI of cybersecurity might be to present a case study:
“Consider a company that has become victim of a ransomware attack and is expected to pay the extortionists around $4 million to regain access to frozen data and systems. If this company had opted for a continuous vulnerability service of 20,000 to 30,000 euros per year in advance and proactively closed existing vulnerabilities, it is very likely that the attack would not have occurred. Here, the return on investment is clear: The $4 million ransom is offset by IT security costs in the low five-figure range.”
While this is an extreme scenario, it is also one that occurs frequently across companies. A concrete example like this might be just what you need to talk in the same language as a business.
Understand your company’s risk appetite
While every company’s board is different, they all expect a certain level of understanding of what managing a company entails: taking controlled risks by leveraging resources to where they have the biggest impact. But one of the most common mistakes security professionals make, according to Linus Plum, the CISO of Software AG, is that they go too far, wanting to fully mitigate or avoid all risks.
According to Plum, understanding the company’s risk appetite is crucial. “If you tailor your reporting and communication with regards to impact on company risk, cost, and revenue, you’re off to a good start,” he says. “If you need a decision or board enablement it should be clear what options are available, and what is the cost/benefit trade-off of each option not only for your security team but the whole company and how will you measure success.”
Four pillars of ROI
Finally, whenever addressing your stakeholders about cybersecurity’s ROI, keep it simple. This is the list of the four pillars of ROI that Sascha Maier, Group CISO of the SV Group, often refers back to:
- This investment will save us money by reducing ongoing costs
- This investment will help us meet contractual obligations or industry or government regulations
- This investment will reduce our business risks (by reducing probability, impact, or both)
- This investment will enable us to take advantage of new business opportunities
Join the discussion
If you are interested in further insights about cybersecurity ROI, we invite you to join the Global Cyber Conference and connect personally with the security experts featured in this article,
Follow these links to check the conference agenda and the full speaker lineup.