Calculating Return on Investment (ROI) for a cybersecurity budget is complex. Knowing the risk of possible breaches or hacks and how much should be invested to lower the risk - and future risk - is a difficult ask. At times, making these budgeting decisions feels like buying into an insurance policy, investing in more technology in the event that something bad happens, if it happens at all.
[Translate, communicate, and track a cybersecurity program that is tailored to your organization's best practices, framewroks, and standards with CyberStrong]
Across all industries, a major challenge for security stakeholders is calculating and communicating ROI on cybersecurity investment to their non-security peers or management. CISOs, CIOs and CSOs have to answer difficult questions regarding ROI on cyber. The notion of security in general is a vague topic, as hacks always seem to occur. Enterprises within just the last few months have experienced breaches, and management most likely cracked down on what they were spending their cybersecurity budget on and why.
Security executives have to communicate the importance of cybersecurity investment in terms that show an effect the bottom line. Questions like what is the appropriate amount of financing for cyber?, how secure is secure enough?, and how does the business approach becoming secure in the first place? are common. Organizations increased their infosec budgets by 24% in 2016, but security leaders still have to justify their cybersecurity spend to upper management every year, which can be difficult as mentioned earlier. Those bottom line minded executives have a difficult time quantifying the ROI of cyber investment into dollars.
Cybersecurity is truly about risk management and loss prevention of those assets that a company holds dear. Any investment into cybersecurity needs to demonstrate to the business that it's focused on positively effecting the bottom line, and defending the company's highest value assets. Look into what assets are the most valuable, and what assets of those are being targeted by threats. This information dan indicate areas to invest more cybersecurity-related capital, and what technologies to deploy.
Kapersky Lab says that the amount of financial loss suffered by SMEs averages at $38,000 i the event of a breach. Looking at other companies in your industry and showing management the breaches that occured, how it effected their assets and how much the breach cost the company financially will help convince them of the importance of security investment.
Ultimately, the idea of translating security risk and investment potential to non-security executives is a good one. Not only does it increase the chances of obtaining a more precise and agreed-apon cybersecurity investment, but it also allows for information sharing and a deeper understanding of the threat landscape and what that means for the company for those who wouldn't otherwise know it. As we move towards running cybersecurity as a business function, and towards proactivity in our organizations, getting more stakeholders involved in the process can allow companies to scale their security departments, budgets, and decrease their cybersecurity risk.