Question: How do I demonstrate the ROI of my security program?
Neal Bridges, CISO at Query.AI: When demonstrating the ROI of security programs, there are three things security teams must do.
The first is to change the perception of security’s role as the “office of NO.” Security programs need to embrace that their role is to ENABLE the business to take RISKS, and not to eliminate risks. For example, if a company needs to set up operations in a high-risk country, with risky cyber laws or operators, the knee jerk reaction of most security teams is to say “no.” In reality, the job of the security team is to enable the company to take that risk by building sound security programs that can identify, detect, and respond to cybersecurity threats. When company leaders see security teams trying to help them achieve their business goals, they are better able to see the value of a strong cybersecurity program.
Similarly, cybersecurity teams must understand their company’s business goals and align security initiatives accordingly. Too many security teams try to push their security initiatives as priorities for the business, when, in fact, those initiatives may be business negatives. For example, let’s say the business objective is to increase manufacturing on a line running end-of-life operating software. Some security professionals would increase security controls in an attempt to prevent downtime associated with an attack. But this approach doesn’t increase productivity - in fact, it might have the opposite effect and reduce manufacturing efficacy.
Rather, security teams need to take a step back and evaluate HOW they can put a security strategy in place that does increase productivity on the manufacturing line. A more business-centric approach would be doing things like building better identification and response measures to support business resilience objectives, increasing the fidelity of the alerting to the devices isolating the manufacturing environment, and running more frequent incident response or crisis action exercises to prepare for a manufacturing cyberattack. Understanding what the CEO and CFO find to be the biggest business drivers and aligning your cybersecurity strategies to those drivers will ultimately correlate to a perception that cyber is tied to profitable business objectives, thus increasing the ROI of cyber expenditure.
Last but not least, cyber teams must figure out how to report on their metrics in a way that business leaders can understand. An example of this is a security team reporting on how many cyberattacks the company has seen stemming from a risky country they do business in. If a business is profitable, the executive team may not see an immediate impact to the potentially thousands of cyberattacks they’re reporting on. However, if the security team slightly evolves their metrics to demonstrate how much time was spent responding to phishing in that particular region, how many laptops they had to reimage because of USB malware every month, or the amount of downtime a production line had because of an end-of-life operating system, they can directly tie these cybersecurity issues to lost revenue in risky situations. And, this knowledge is what business leaders need to better understand security risks, their potential impact on the business, and security’s role in keeping the organization safe.