Security practitioners have to figure out how to accomplish their security goals with the budget they have. They also must show that the security program is effective at protecting the organization. They need to be able to justify the cybersecurity products and tools they have purchased and articulate the return on investment (ROI).
Now there's a tool for that. SecurityScorecard released a content and ROI calculator to help security practitioners figure out high-level estimates to illustrate the organization's overall security posture.
"At a time of economic uncertainty, strengthening cybersecurity postures must be a priority, as bad actors take advantage of volatility," says Cindy Zhou, chief marketing officer at SecurityScorecard. "Organizations must be able to know and articulate if the cybersecurity products and tools they have purchased provide a sound ROI."
Security teams should consider a wide variety of risk factors when considering what to buy for their security programs, Zhou says. The list includes network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, social engineering, and knowing their digital supply chain.
Calculating Risk to Justify Spend
Quantifying cyber risk in financial terms allows organizations to understand the financial impact of a cyberattack, gain insight into the risks their vendors pose, and quantify the reduction in expected losses if issues are resolved. For example, a cybersecurity product may cost $200,000; however, it may defend against a $5 million data breach, thus saving the organization considerable funds in the long-run.
"CISOs must be able to quantify their business' cyber-risk to justify the spend on their cyber tech stack," Zhou says.
Another key factor is the ability to procure cyber-risk insurance and the associated premiums.
"Many insurers use SecurityScorecard to assess if a company is eligible for a policy," she says. "CISOs and CFOs need to demonstrate their security posture just to be considered for a policy."
The interactive calculator is based on data collected for Forrester Consulting's Total Economic Impact of SecurityScorecard. Forrester Consulting constructed a financial model using a Total Economic Impact formula.
As part of the study, the consultants quantified the effects of having SecurityScorecard in the enterprise, including increased efficiency in risk management, technology efficiencies and consolidation, and improved security posture. This approach not only measures costs and cost reduction within the organization, but also weighs the enabling value of a technology in increasing the effectiveness of overall business processes.
The ROI calculator expands SecurityScorecard's Cyber Risk Quantification (CRQ) capabilities, which are designed to help customers understand cyber-risk in financial terms as part of holistic business risk analysis.
Getting Executive Buy-In
The C-suite and the board are used to focusing on the organization's financial performance, so the CISO needs to be able to quantify cyber-risk in financial terms, says John Hellickson, field CISO at Coalfire. This way, the CISO can also justify and prioritize cyber investments.
This lets all parties make informed decisions about the financial impact and business outcomes of such investments.
"Justifying and accounting for the people, process, and technologies already in place ensures that current mitigating controls are considered in the overall risk calculations," Hellickson says.
From Hellickson's perspective, validating the comprehensiveness of the cybersecurity strategy, knowing the maturity and risk level of current investments, and estimating how future investments will improve that maturity and effectively manage that risk is key to gaining executive trust and support.
"Focusing spend on the assurance of not being breached just about went by the wayside when fear, uncertainty, and doubt tactics stopped working nearly a decade ago when year after year security investments continued to rise," he adds.
Building a cyber program strategy that demonstrates positive business outcomes goes much further in the CISO's ability to influence other executives.
For years, organizations have increased spend, especially application security spend, and they've still failed to achieve the kind of coverage of their application portfolio they desire, says John Steven, CTO of ThreatModeler.
"When organizations see this spend as unsustainable, let alone the requested rate of growth, security executives must demonstrate they're not only getting stuff done, but getting more done for less than peer CISOs, or those that have come before them," he says.
Steven explains that as common as breaches are across the industry, they are probably rare within a single organization, so "time since breach" should be a fairly sleepy indicator of activity and result.
"Focusing on delivery enablement or customer friction can be significantly more impactful," he says.