(image by Artur, via Adobe Stock)
Return on Investment
ROI is nothing new, but it still might not have made it into your Information Security department. (You might have even done your very best to keep it out.)
Nevertheless, Roger Hale, CISO-in-Residence at YL Ventures, says "I prefer to provide metrics showing the value of the past investments, as well as where there is still risk to be addressed. Focus areas include data showing our Cyber Insurance levels, external internet risk scores, the executive summary of our annual third-party risk assessment, with agreed-upon mitigation/remediation activity, and our security program coverage map broken out by CSF categories of: Identify or (Visibility), Protection, Detection, Response and Recover. This approach provides the board with information they need to assure that the company is investing in the right areas of security and privacy and helps them to accept the residual risk."
George Wrenn, CEO of CyberSaint Security and former CSO of Schneider Electric has a mathemathical equation he uses for ROI measurement, which looks like this: (Mitigation coefficient X (Likelihood X $ Impact) - Cost of Completion)/Cost of Completion.
"The mitigation coefficient, in this case, can range, but I typically use .9 which assumes that any control or security solution mitigates 90% of negative effects. I have seen this adjusted for more conservative estimates, though. The likelihood, using NIST's methodology, is broken down into Very Low (0.1), Low (0.25), Medium (0.5), High (0.75), Very High (1.0). This equation is designed to be applied on a per control basis. The value of that is being able to see where gaps exist, and where the greatest opportunities for investment lie."