[Hackers fixate on SQL injections -- CSOs, not so much. See The SQL Injection Disconnection.]
1. Insert ROI Into The Equation
Quantifying return on investment from security spend remains one of the long-lamented challenges in the IT security industry. Some continue to wonder how you can put a valuation on something that never happens. But that valuation does exist, says Joe Fisher, president of Affinity IT Security.
"The value of avoiding negative consequences is both real and quantifiable," Fisher says. "The ROI calculation must recognize and account for the value of avoiding the full scope of economic damages that can result from a breach."
If you need a little help, start by grabbing a newspaper and looking for evidence of public details about consequences other companies have had to pay for past breaches.
"To help justify purchases, security departments can cite examples of data breaches and what those consequences were: regulatory penalties, decline of company reputation, job loss -- including at C-level, and identity theft leading to monetary loss," says Michelle Head, technical consultant with the security practice at Force 3.
But don't just come to the boardroom with newspaper clippings. Convert some of those public numbers into what it would translate to economically for your company should a similar asset be breached. And do some digging for other costs that may not be included in the news.
Fisher recommends that an ROI estimate should account for at least six variables: the cost associated with forensic analysis to determine the scope of the breach, the cost to remediate and re-establish a secure environment, the cost to prevent future repeats of the same attack, the legal costs of a breach, the loss of revenue due to the breach, and the potential damage to the stock price following a breach.
"The costs of each of these can be estimated and should be aggregated to form a comprehensive assessment of potential damage," Fisher says. "This can then be discounted by the likelihood of the breach occurring to arrive at a risk adjusted damage estimate."
2. Come Ready With Threats Prioritized Against Business Objectives
Simply stepping into the CEO's office and stating that there are 10,000 vulnerabilities in the company's application portfolio or that there were 22 incidents last year stemming from uneducated users doesn't necessarily get you any closer to communicating the risks.
Risk conversations that consist of a laundry list of vulnerabilities in IT infrastructure or network threats may raise concern that won't necessarily educate executives well enough for them to make decisions about which risks to accept or mitigate.
"The point is managing risk to business performance objectives," says Brian Barnier of ValueBridge Advisors. "Think about how many Olympic athletes wished they better avoided injuries or took a greater risk to score a point."
CEOs respond well to numbers -- but only when they're framed around what those numbers mean in relation to business objectives and the bottom line. This framing starts first by making sure that the words you're using are from a business lexicon, not techno dictionary.
"Anything really technical we tend to flub because we walk into the CEO's office and start spouting acronyms," says Mike Murray, managing partner for consulting firm MAD Security. "And we expect that person to take that and translate it to business speak in their head without realizing that it's our job to translate it for them in a way they understand."
Similarly, the numbers need to be converted into dollars-and-cents impact. This means performing a quantitative analysis of how much past threats cost the business, how likely they are to occur again, how much it'll cost to prevent each of them in the future, and given an expected budget estimate, where the cash infusions should go first. It's also key to include potential impact on revenue should the risk be accepted and the worst occurs.
"There are simply too many issues to be fixed, and no company can address them all. What we often do not see is a prioritized list of which holes to fix based on a quantitative analysis," says Naeem Zafar, president and CEO of Bitzer Mobile. "If an IT organization can only fix three issues, they are likely to be the ones that cause the most harm or provide the best return for the organization. CIOs should play a strategic role by addressing these issues based on quantitative analysis. "
3. Let Executives Accept Some Risks
As the proverbial goalkeepers in front of the net, it may be difficult for security executives to accept situations that make it easier for the ball to cross the goal line. The instinct is to keep the sheet clean and aim for never letting a security incident sully the record.
But the fact of the matter is that the game isn't really won based on how many times the bad guys score a hit off of your infrastructure. It's based on how much money the company makes and the financial impact that threats will make against that profit. Keeping that in mind, it will make sense for line-of-business executives to accept some risks if the medicine is worse than the cure.
"The truth is security is all about levels -- the level of pain you want to make a would-be hacker go through vs. the level of disruption you can have on your workforce," says Ken Tola, CEO of IP Ghoster.
IT security professionals who can offer a quantitative risk assessment and are prepared to let their executives accept risks based on that assessment are going to gain a lot more respect and, consequently, more budget to deal with high-priority risks than the ones who insist no risk remain unremediated.
"The ultimate goal is to determine your organization's appetite for risk and to facilitate the cultural move from a zero-risk mentality to a risk-resilient mentality," says Bryan Fite, BT Assure portfolio manager for U.S. and Canada at BT Global Services.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.