(Continued from previous page)
According to Chad Spoden, a senior security analyst at FRSecure, CISOs can take the use of a framework a step further and assign values to certain risks.
"If we use a simple formula of 'one control meet equals one point,' we could simply ask a series of questions," he says. "For every question you are meeting the framework's suggestion, you add one point. If you are not meeting the suggestion, you add zero points. In the end, we would have a numerical score to help paint our security posture."
However, he notes, the formula will vary from business to business – and is still not a panacea.
"The reality is it's a little more difficult than simply adding up ones and zeros," he says. "Some risks are more impactful than others, so there could be a weight added to the control."
How Much Do You Stand to Lose?
It's not a new concept, but the one calculation everyone should attempt to make when making budget decisions is to determine how much the organization can stand to lose. Start with assessing the risk to critical data and infrastructure, and measure costs in loss of business and/or customers if any of those assets were stolen or taken down for a period of time.
"For instance, how much would you lose – a day or hour – if your website is down?" asks Corey Nachreiner, CTO of WatchGuard. "If you are an e-commerce company, this number could be very large, but if you are a building contractor, you may be fine for a couple days without your site. Your risk depends on your specific organization."
Another component you can also use to calculate potential loss is industry regulation fines. Healthcare companies, for example, need to comply with HIPAA. Retailers need to worry about PCI. Specific fees can help guide you to the ultimate cost of a breach. Unfortunately, it is also a difficult conversation to have, notes HackerOne's Zander.
"Walking into a meeting with your fellow executives stating, 'If we get a breach, we'll lose $23 million and 40% of our customers' isn't a great way to ask for money," he says. "What it does give you is a starting point to talk about mitigation."
Hopefully after that, you'll have some solid information to offer executives about how you calculate your security budget needs. But it bears reminding: Figuring out how much you require still continues to be more art than science.
"There is no clear-cut number CISOs or security programs should be spending on their efforts," FRSecure's Spoden says. "The amount should be based on what controls the organization finds most important, where they fall short on those controls, and which adjustments can make the biggest impact for the lowest cost. As long as you do that, you'll be spending smartly."