Being able to demonstrate ROI on security investments to the board is one of the tasks every CISO encounters. And it is not without its challenges. Intelligent CISO spoke to a number of industry experts who offer some best practice advice to CISOs about how to tackle this challenge.
Why is it important to be able to use ROSI to evaluate cybersecurity technologies?
Carolyn Crandall, Chief Deception Officer at Attivo Networks
CFOs and CEOs would be ecstatic to see detailed and specific ROSI, especially if it could be boiled down to a dollar figure. This would streamline budget assignment and approvals as you could easily calculate a quantifiable benefit. The challenge is that security is much like insurance, you hate to spend the money on it but are extremely grateful that you have it when needed.
Ultimately, security is more of a risk calculation. How much risk are you taking and what are the consequences if you don’t invest. Fines, insurance hikes, lost revenue, hit to brand reputation and incident response costs can be calculated, however assigning ROSI to one device can be hard as security is a system and only one chink in the armour can bring the whole system down.
To use an American football analogy, it is like playing the game without a kicker to kick in the field goal. Security can be compared to being in the final seconds of the game, but without the kicker, you need to run the play, which can be more complex and riskier. If you have the kicker, you win, without the kicker you may not.
Is it a guarantee? No, but the odds are less favourable when you don’t have the resources best suited for the need. The concept of a kicker and security are similar, there is no silver-bullet so you need all the positions covered. If you try to shortcut it, it may be all the opponent needs to win. Game over…