‘Demonstrating Business Value’: Communicating Cyber Security ROI

Business Comm. Takes On New Form With Security

Add bookmark

Dan Gunderman

Those familiar with business concepts have long been exposed to “ROI,” or “return on investment.” Quite simply, it’s the benefit of an investment divided by the cost of the investment. In cyber security, however, the figure is not so clear-cut.

The space, once considered “fledgling” and/or siloed and perhaps secondary, has now risen to prominence in the enterprise, as security teams ward off potent threats on a daily basis. Resource-constrained teams are monitoring the network, orchestrating incident response and communicating security posture to the board and upper management.

In the process, Chief Information Security Officers (CISO) and the like are forced to translate technical detail to a “business” language of dollars and cents. The message, in its entirety, could fall upon deaf ears, however, meaning stagnant security spend or a focus in rather fringe areas.

There are certainly a number of moving parts within the security question – especially as threats morph around the clock. For other areas of the business, ROI is communicated clearly and efficiently – to find a percentage or ratio of the investment gain. When cyber security comes into play, practitioners are forced to elaborate on risk mitigation and a lack of threats as the real, distinguishable ROI. It’s a new format that’s assimilating into the enterprise, yet it remains an immense challenge. Quantifying cyber spend, and thus the risk mitigation behind it, is a complex “equation.”

See Related: Collaboration & Motivation: Cyber Security Exec Shares Helpful Tips

‘Cost Of Doing Business’

In a recent piece for CMS Wire, Norman Marks, CPA, CRMA, business “evangelist” and author of “World-Class Risk Management,” stated: “Top management and the board should have serious conversations that focus not only on acceptable losses, but also on what investors and regulators might consider a reasonable level of cyber defense, detection and response. Any definition of ‘risk appetite’ should probably be based on the likelihood of a serious breach, rather than on the amount of loss.”

Marks also added that if you have multiple vulnerabilities, the possibility of a breach remains high until all (or most) of them have been remediated. In discussing point solutions to cover certain areas while other “windows” remain open or “door locks” remain dysfunctional, Marks said: “I remain unconvinced the ROI on cyber is really as high as it may seem at first glance. Rather, I am starting to think that at some point it is better to consider cyber risk a ‘cost of doing business.’”

Alignment With Business Goals

Glenda Lopez, Director, Global Risk and Compliance, The Henry M. Jackson Foundation for the Advancement of Military Medicine, told the Cyber Security Hub that “security initiatives can be very costly to any organization as technology solutions constantly evolve and quickly become outdated.”

Lopez suggested that due to the average cost of a data breach ($4 million), coupled with irreversible reputational damage, it becomes a simple decision to implement proper controls.

Furthermore, as is the case with much of cyber security, this effort – in effectively communicating ROI and upside – is enabled with a strong security culture. Lopez said that starts from the top down.

See Related: Threat Intel Tools Take Enterprises Away From 'Reactive' Posture

“Everyone in the organization needs to be aware about the risks associated with data loss and exposure and how security is an essential component to the success of the business,” she said. “It is important to quantify by placing value on our security investments and show how that aligns to the business goals.”

For enterprises attempting to raise their security posture and embrace this revitalized dialogue around ROI in information security, Lopez recommended utilizing “Quantifying Value of Information Security,” from the SANS Institute. She called it “a great guide for organizations to begin establishing a quantitative risk management valuation process.”

As posture and resiliency improve, there are certain tips practitioners can draw upon for effective presentation. Lopez said, “It is important to provide the visual data to support your security investment requests. You want to demonstrate the business value of security initiatives by presenting the risks (i.e., business risks, market risks, emerging risks), the value of those risks to the business, the probability of an incident and the cost associated with an incident occurring.”

With a security culture in place, it becomes easier to demonstrate the criticality of implementing strong security measures, she stated. So, while communicating ROI and risk to the wider business can certainly be a challenge within the highly specialized area of cyber security, there are effective ways to do so, and thus augment the entire business.

Be Sure To Check Out: Leading Cyber Security Execs Describe CISO 'Toolkits'