Request Demo

Translating Security ROI to Non-Security Management

down-arrow

Calculating Return on Investment (ROI) for a cybersecurity budget is complex. Knowing the risk of possible breaches or hacks and how much should be invested to lower the risk - and future risk - is a difficult ask. At times, making these budgeting decisions feels like buying into an insurance policy, investing in more technology in the event that something bad happens, if it happens at all.

[Translate, communicate, and track a cybersecurity program that is tailored to your organization's best practices, framewroks, and standards with CyberStrong]

Across all industries, a major challenge for security stakeholders is calculating and communicating ROI on cybersecurity investment to their non-security peers or management. CISOs, CIOs and CSOs have to answer difficult questions regarding ROI on cyber. The notion of security in general is a vague topic, as hacks always seem to occur. Enterprises within just the last few months have experienced breaches, and management most likely cracked down on what they were spending their cybersecurity budget on and why.

Security executives have to communicate the importance of cybersecurity investment in terms that show an effect the bottom line. Questions like what is the appropriate amount of financing for cyber?, how secure is secure enough?, and how does the business approach becoming secure in the first place? are common. Organizations increased their infosec budgets by 24% in 2016, but security leaders still have to justify their cybersecurity spend to upper management every year, which can be difficult as mentioned earlier. Those bottom line minded executives have a difficult time quantifying the ROI of cyber investment into dollars. 

Cybersecurity is truly about risk management and loss prevention of those assets that a company holds dear. Any investment into cybersecurity needs to demonstrate to the business that it's focused on positively effecting the bottom line, and defending the company's highest value assets. Look into what assets are the most valuable, and what assets of those are being targeted by threats. This information dan indicate areas to invest more cybersecurity-related capital, and what technologies to deploy.

Kapersky Lab says that the amount of financial loss suffered by SMEs averages at $38,000 i the event of a breach. Looking at other companies in your industry and showing management the breaches that occured, how it effected their assets and how much the breach cost the company financially will help convince them of the importance of security investment.

Ultimately, the idea of translating security risk and investment potential to non-security executives is a good one. Not only does it increase the chances of obtaining a more precise and agreed-apon cybersecurity investment, but it also allows for information sharing and a deeper understanding of the threat landscape and what that means for the company for those who wouldn't otherwise know it. As we move towards running cybersecurity as a business function, and towards proactivity in our organizations, getting more stakeholders involved in the process can allow companies to scale their security departments, budgets, and decrease their cybersecurity risk.

Running Better Security Assessment Every Time is Critical to Proving Compliance Best-Practices. Learn How to Streamline Your Next Assessment with our Comprehensive Guide to Streamline Any Assessment.

You may also like

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
Government Shutdown Cybersecurity ...
on February 12, 2019

In January, CyberSaint CEO George Wrenn penned his thoughts on the impact of the government shutdown. In his post, George foresaw the outcome of the shutdown not being a future ...

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...