Using ROSI to Evaluate Cybersecurity Technologies
Being able to demonstrate a return on security investments is one of the biggest challenges every CISO faces as they try to keep pace with modern threats. We spoke to a number of industry experts who offer advice on how CISOs can effectively communicate with the board to ensure they are allocated sufficient budgets to stay cybersecure.
Carolyn Crandall, Chief Deception Officer at Attivo Networks shared that CFOs and CEOs would be ecstatic to see detailed and specific ROSI, especially if it could be boiled down to a dollar figure. This would streamline budget assignment and approvals as you could easily calculate a quantifiable benefit. The challenge is that security is much like insurance, you hate to spend the money on it, but are extremely grateful that you have it when needed.
Ultimately, security is more of a risk calculation. How much risk are you taking and what are the consequences if you don’t invest. Fines, insurance hikes, lost revenue, hit to brand reputation, and incident response costs can be calculated, however assigning ROSI to one device can be hard as security is a system and only one chink in the armor can bring the whole system down.
To use an American football analogy, it is like playing the game without a kicker to kick in the field goal. Security can be compared to being in the final seconds of the game, but without the kicker, you need to run the play, which can be more complex and riskier. If you have the kicker, you win, without the kicker you may not.
Is it a guarantee? No, but the odds are less favorable when you don’t have the resources best suited for the need. The concept of a kicker and security are similar, there is no silver-bullet so you need all the positions covered. If you try to shortcut it, it may be all the opponent needs to win. Game over.
Story on pages 36-39