All too often, the C-suite sees IT security projects as supermassive black holes that absorb millions of dollars but don’t give anything in return except a vague sense of security. CISOs, on the other hand, know that a strong cybersecurity posture can do far more than reduce the likelihood of security breaches; it can be a business enabler that has a positive financial impact. For instance, the Global State of Online Digital Trust Survey and Index 2018 reports that consumers with more digital trust in an e-commerce business tend to spend more online.
But how can CISOs get that message across effectively and secure executive buy-in for appropriate security investments?
The key is explaining the current state of security in a way that is clear to the non-IT people who sit on the board. Dylan Curran, security and data privacy expert, whose research on how much data Facebook and Google holds on us went viral this March, shared with me a nice comment on how to do this:
IT staff should speak more in financial terms instead of ghost tech ones. IT has to convey the potential repercussions of a weak security strategy and highlight the benefits the department brings to the business. My favorite is that your company will maintain higher level of professionalism among employees because everyone will operate under an umbrella of security and good policy. But to achieve this goal, you need board buy-in, and reporting on security is a good start for a nice decades-long conversation.
I advise holding regular discussions with the board, structured around the following four questions:
#1. What is our exposure to cybersecurity risks?
As the CISO, you should illuminate the organization’s current threat landscape. It’s critical to not simply detail the technology risks (e.g., virus outbreak, data overexposure); you need to explain the business impact (e.g., compliance failures, reputational damage), severity (from severe to insignificant) and likelihood (from unlikely to almost certain) of each risk. For example, you might report a moderate risk of compromised credentials — and explain how this risk could lead to stolen intellectual property, lost market momentum, compliance fines and lower revenue.
Additionally, you should keep the board informed about how competitors are doing with security. For instance, if one of your competitors suffered an attack, you need to investigate whether you have the same weakness and what you can do to mitigate it.
#2. What are we doing to reduce security risks?
Next, you need to explain what steps your teams are taking to address the risks the organization is facing. The key here is to use quantitative metrics to assess their effectiveness.
The SANS Institute offers a quantitative risk analysis formula that has been widely adopted. It estimates the return on security investment (ROSI) by quantifying how well the solution mitigates the risks it is intended to address and how much money can be saved due to the reduced risk exposure. In addition to this formula, CISO can use more technology-related metrics to estimate ROSI, such as MTTD (mean time to detect), MTTR (mean time to repair), number of incidents and vulnerabilities discovered versus the number remediated, money savings due to remediation, and so on.
#3. What is the business impact of our security efforts?
The board and CISO should work together to establish a clear set of KPIs for assessing how the business leverages various technologies. Here, a good approach is for the CISO to develop a story that illustrates how a secure digital transformation helped realize various financial opportunities, such as increasing customer satisfaction, minimizing business downtime or reducing costs. For instance, suppose you invested in a solution for data discovery and classification to uncover what sensitive data you have and where it is stored. You can explain how this solution helped the infosec team improve the security of this information — and also enabled the company to prune out ROT (redundant, obsolete and trivial files that have no business value), thus slashing storage and processing costs as well.
By speaking the language of business benefits, you can help the board see security investments as a business enabler, rather than additional budget line items.
#4. What else should be done to improve the organization’s security posture?
Last, in each meeting you should identify gaps in the organization’s security coverage, explain what issues must be solved next and why, and detail what further investments are needed. Be sure to provide actionable plan with clear deadlines, resources (people, tools, technologies, etc.) and costs. You should also articulate the expected ROSI for these investments by calculating quantitative metrics and highlighting potential business benefits. Though this data will be hypothetical, it will demonstrate to the C-suite how the company’s security risk exposure will align with its risk appetite and business priorities.
Regular meetings built on these four questions will help all stakeholders see that security is more than just an insurance policy and facilitate informed decisions about security investments.