Request Demo

Translating Security ROI to Non-Security Management

down-arrow

Calculating Return on Investment (ROI) for a cybersecurity budget is complex. Knowing the risk of possible breaches or hacks and how much should be invested to lower the risk - and future risk - is a difficult ask. At times, making these budgeting decisions feels like buying into an insurance policy, investing in more technology in the event that something bad happens, if it happens at all.

[Translate, communicate, and track a cybersecurity program that is tailored to your organization's best practices, framewroks, and standards with CyberStrong]

Across all industries, a major challenge for security stakeholders is calculating and communicating ROI on cybersecurity investment to their non-security peers or management. CISOs, CIOs and CSOs have to answer difficult questions regarding ROI on cyber. The notion of security in general is a vague topic, as hacks always seem to occur. Enterprises within just the last few months have experienced breaches, and management most likely cracked down on what they were spending their cybersecurity budget on and why.

Security executives have to communicate the importance of cybersecurity investment in terms that show an effect the bottom line. Questions like what is the appropriate amount of financing for cyber?, how secure is secure enough?, and how does the business approach becoming secure in the first place? are common. Organizations increased their infosec budgets by 24% in 2016, but security leaders still have to justify their cybersecurity spend to upper management every year, which can be difficult as mentioned earlier. Those bottom line minded executives have a difficult time quantifying the ROI of cyber investment into dollars. 

Cybersecurity is truly about risk management and loss prevention of those assets that a company holds dear. Any investment into cybersecurity needs to demonstrate to the business that it's focused on positively effecting the bottom line, and defending the company's highest value assets. Look into what assets are the most valuable, and what assets of those are being targeted by threats. This information dan indicate areas to invest more cybersecurity-related capital, and what technologies to deploy.

Kapersky Lab says that the amount of financial loss suffered by SMEs averages at $38,000 i the event of a breach. Looking at other companies in your industry and showing management the breaches that occured, how it effected their assets and how much the breach cost the company financially will help convince them of the importance of security investment.

Ultimately, the idea of translating security risk and investment potential to non-security executives is a good one. Not only does it increase the chances of obtaining a more precise and agreed-apon cybersecurity investment, but it also allows for information sharing and a deeper understanding of the threat landscape and what that means for the company for those who wouldn't otherwise know it. As we move towards running cybersecurity as a business function, and towards proactivity in our organizations, getting more stakeholders involved in the process can allow companies to scale their security departments, budgets, and decrease their cybersecurity risk.

Running Better Security Assessment Every Time is Critical to Proving Compliance Best-Practices. Learn How to Streamline Your Next Assessment with our Comprehensive Guide to Streamline Any Assessment.

You may also like

Integrating GRC: Governance, ...
on June 6, 2019

In our Integrating Governance Risk and Compliance series, CyberSaint leadership explores the process through which cybersecurity leaders can reconfigure their organizations to ...

Jerry Layden
Critical Capabilities of Cyber ...
on June 4, 2019

As Boards and CEOs start taking a greater concern with the security posture of their enterprise, CISOs and information security teams are being faced with translating their cyber ...

Integrating Governance, Risk, and ...
on May 30, 2019

When Gartner released the magic quadrant for integrated risk management (IRM) in 2018 rather than for governance risk and compliance (GRC), members of the information security ...

An Integrated Risk Management ...
on May 28, 2019

As cybersecurity is elevated to a Board- and CEO-level issue, the role it plays in overall enterprise risk management is is becoming more apparent. With that comes a need for an ...

Using NIST 800-30 To Implement The ...
on May 23, 2019

The National Institutes of Standard and Technology’s Risk Management Framework (RMF) is a foundational aspect to managing cybersecurity risk. When coupled with the NIST ...

NIST Cybersecurity Framework Tool ...
on May 21, 2019

For almost all organizations large and small the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) represents the gold standard for managing ...