FEATURE
will contribute to the business, it is very
likely that the board will not invest in
cybersecurity leaving the company open
to cyberattacks.
The future of cybersecurity needs to
change in businesses. We need to stop
talking about cybersecurity and talking
only about business risks and how
cybersecurity solutions can be used to
reduce the business risk contributing to
the business success.
Organisations continue with failing to
measure cybersecurity successfully,
focusing on only the threats and not the
value of business risk reduced.
Sometimes cybersecurity is simply too
complex. Many companies have invested
in technologies that claim to solve all the
problems. However, when it comes to
getting them working they are so complex
that proper installation takes years – and
that’s even before they get integrated into
existing cybersecurity investments.
When documentation is hundreds of
pages long and takes highly skilled
resources to ensure it’s working, it
becomes clear why the industry is short
of cybersecurity professionals.
It is especially critical not to
underestimate these costs, as they can
drastically skew calculations. In addition
to this, I would add:
Ruggero
Contu,
Research
Director,
RUGGERO
CONTU,
RESEARCH
Security
Solutions
Worldwide (RC)
DIRECTOR,
SECURITY
SOLUTIONS WORLDWIDE
Similar to other areas, demonstration
of ROI is often key to obtain financing
from IT budget allocation, however, as a
recent Gartner survey has demonstrated,
with security often it is difficult to provide
a direct correlation between economic
benefits and security investments. This
is because security aims to keep things
running as normal and prevent/detect/
remediate incidents, so demonstrating
‘normality’ is not necessarily seen by
management as a compelling reason to
spend on security versus other areas that
can demonstrate direct economic gains.
Furthermore, security is often relying on
metrics that are very technical, making
it difficult for security professionals to
communicating value to the business.
38
Best practice advice for CISOs
on calculating ROSI
Carolyn
Crandall,
Chief Deception
CAROLYN
CRANDALL,
CHIEF
Officer
at Attivo OFFICER
Networks AT
DECEPTION
ATTIVO NETWORKS
I would suggest using various modelling
frameworks to communicate the impact.
The fundamental models could be
based upon:
1. Brand impact and revenue loss
2. Penalties/fines/increased
insurance premiums
3. Cost of incident response
4. Impact to business services and
whether this opens or closes
opportunities to provide services that
give a business advantage
5. Ongoing hygiene of security system
– what investments need to be made
to ensure that security is working
reliably, is covering all attack surfaces
and ever-evolving attack types
This could be pen testing but ongoing
tools to validate will mitigate the need
for a ‘root canal’ that will occur if the
attacker remains undetected for lengthy
periods of time. This should factor in not
only actual damages but also the time
needed for cleaning up the network and
erasing the attacker’s footprint.
Ultimately, don’t limit ROSI to simply IT
asset management. It is also important
to factor the costs into overall digital
risk management and impact to the
organisation’s business operations.
Issue 10
|
www.intelligentciso.com