Historically, security was seen as a cost center for businesses. But as breach costs have risen, so have security budgets – and the importance of security overall. In many mature security programs, experienced CISOs have learned how to make the case for the ROI that their efforts bring.
But now that COVID-19 has turned everything we know on its ear, what is security's place in this new business environment? Last week we looked at which security roles would survive an economic downturn (and received mixed responses). Then we wondered: If security roles are in jeopardy, how can professionals make the case to be kept on the payroll?
Here are five strategies for security pros to prove their worth during trying times.
(Image Source: adam121 via Adobe Stock)
Many business analysts predict the shift to work-from-home arrangements is the beginning of a new normal where more companies embrace increasing levels of remote work. What better way for security to prove its worth than to demonstrate its ability to enable these new demands?
"A simple example of a new KPI would be 'return on risk mitigation,'" says Hilario Itriago, director of Cytrust. "[Show] business readiness to move into new online channels and products thanks to infosec solutions properly in place to avoid compromise by external attacks to any part of the organization. Securing such strategic implementation protects growth revenue and shareholder value like never before. Such perspective changes the conversation entirely for infosec and makes them part of a completely new business environment."
(Image: tostphoto via Adobe Stock)
Now that you're working in a completely new business environment, start sharing examples of what you are doing now to successfully mitigate threats and enable productivity amid this change, says Todd Weber, CTO of Optiv Security.
"It's not enough to just claim indispensability; you have to prove it," he says. "And the only way to prove it is through hard metrics that provide indisputable evidence that you are helping the business in a measurable way. Depending on the role of the person, these metrics could include things like number and time to resolve on remote users configured, or MFA tokens deployed, or cases resolved for remote workers. And then tie these metrics to business outcomes – the primary one being that you've simultaneously made workers more productive and more secure, which translates into reducing enterprise risk while increasing enterprise efficiency."
(Image Source: Andrey Popov via Adobe Stock)
With attack rates sky-high, proving security's worth is a matter of math and reference to the latest headlines, says Yaniv Bar-Dayan, CEO of Vulcan Cyber.
"The US and UK both have reported a substantial spike in COVID-19-related fraud activity, which of course increases the chance of a breach or an attack to occur," he says. "Remember, it only takes one person to accidentally click on a COVID-19-related phishing email. X% more attackers/attacks per company with Y% less staff to deal with them equals Z% greater chance of a breach of a successful attack. Add the costs and risks that come with the rapid transition to remote working, and hopefully the worth of security staff becomes self-evident. However you slice or dice it, firing or laying off security during the pandemic is not supported by the math. It also lacks common sense."
(Image Source: James Thew via Adobe Stock)
When business leaders understand how security's time is spent and how it relates to the threats organizations face, value becomes more obvious, says David Stuart, senior director at social media security firm ZeroFOX.
“Show how your work is mission-critical to your business,” he says. “Further, tying activity time to and showing how it aligns with the top risks facing the business, based on an understanding of the threat landscape in which the organization operates, will begin to show worth by allowing easy analysis of the cost-risk trade-off. Ask: By not doing these activities, would we not have averted threats that we've faced and surmounted?”
(Image Source: Olivier Le Moal via Adobe Stock)
Educating executive management about current external threats with real-world examples can be a powerful way to drive home the message about the importance of security right now, says Grant McCracken, senior director, program and security operations at Bugcrowd.
“Providing demos and stressing the potential implications to leadership on critical vulnerabilities that have been identified can be a highly powerful tool in substantiating the essentialness of security programs and their role in keeping users and the organization secure,” he says. “Proving one’s worth in security has less to do with a few specific values and more to do with awareness as a whole. You wouldn’t question the essential nature of a TSA agent because you’ve got an idea of what could happen if they weren’t there.”
Image Source: Andrey Popov via Adobe StockJoan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio