Swaying the C-Suite: Proving the ROI of a sound security strategy
Last year proved record-breaking for security, with five massive breaches accounting for more than 72 percent of all data records exposed in 2017. Additionally, Verizon’s 2018 Data Breach Investigation Report found that cybercriminals are taking advantage of poor endpoint security.
Companies clearly must address this problem, but a recent survey finds that only one in five organizations have the tools in place to manage the risk of a cyberattack, despite high-ranking executives claiming that it's a top risk management priority.
Why is this happening? Research notwithstanding, there is a disconnect between security leaders and members of the C-suite that often boils down to the fact that security products and tools don’t demonstrate an ROI (return on investment) that directly impacts business results.
It’s up to security leaders to speak to senior leaders in a language they will understand, inciting them to mobilize. They reinforce that security must be built into the products and the process at the outset of a project, so that companies aren’t scrambling for a fix after they're faced with a major security incident.
When you think about it, it does make sense that the C-suite and security or operations teams don’t speak the same language. Senior leaders are often tasked with cutting the fat. At the same time, organizations struggle to quantify the value of cybersecurity investments. It's important for IT and security leaders to note that true ROI comes from defending the organization against material impact, before it happens.
Begin by proving your position with numbers. For example, cybercrime is estimated to cost approximately $6 trillion per year on average through 2021. As such, smart security spend pays for itself in cost savings, reputation protection and more, given the direct connection between loss prevention and a company's bottom line. We're facing a reality in which organizations understand they need to care about security, but to really get executive buy-in, the security team still needs to prove ROI — the right kind of ROI — and present a clear implementation plan.
After providing facts and figures, a security roadmap can help highlight the tactical actions needed to sway the C-suite to commit and spend. An effective roadmap creates a flexible security structure under the CIO that runs under four distinct towers:
- Security oversight: Encompassing enterprise governance and KPI tracking.
- Information risk: The design and sustainability of an internal risk management program that tracks general enterprise risks and exceptions where higher risk levels are acknowledged.
- Security architecture and engineering: Relates to the proactive and progressive deployment of security controls and tools that help to track and mitigate risk.
- Security operations: The operational model that leverages all three of the previous towers to monitor and report on issues and incidents.
From here, the following four steps are designed to help infosec professionals put their road map into practice.
Practice 1: Assess Your Risks, Assets and Resources
Security leaders must prioritize identifying and documenting the assets that pose the biggest threat, if breached. Add to that the probability of cyber threats to these assets. If your security team isn't adequately staffed, consider leveraging other teams or outsourcing, if needed. You should also select a security framework to follow — such as the National Institute of Standards in Technology's (NIST) Cybersecurity Framework — one that covers any relevant regulatory requirements, to keep the program on track.
Practice 2: Update Your Information Security Policy
Keeping an updated data security policy not only helps mitigate risks, but it's also necessary for compliance. Updating your existing policies and creating security standards for general use will allow you to highlight and provide recommendations around high risk areas. Managers will also benefit from translating risk assessments into business terms and using metrics that resonate with the C-suite.
Practice 3: Identify New Controls and Deploy Them
Logging all access to data by a unique identifier will require a log management tool or security information and event management system. Limiting access to specific data to select individuals is typically a good rule of thumb as well as implementing unique system usernames and passwords, and eliminating the sharing of group-based accounts.
Protecting against data leaks is vital to ensure no sensitive data is shared outside of the organization – it’s no secret that 95 percent of security incidents result from human error. Test these controls using a phased approach to ensure that they're incorporated into the software development lifecycle for new infrastructure and application deployment. During the testing process, note if the solution works technically and that it doesn't impose too much of a burden on your employees or processes.
Practice 4: Educate Your Employees, Executives, Vendors & Customers
Your new policies are ready to be rolled out and now is a good time to focus on internal and external education. Internally, detail what employees should do to comply and the consequences should they fail to do so. Hold regular security trainings to boost awareness and hold everyone accountable. Externally, let vendors and customers know about your new policies and what steps they must take (if any) to comply.
When enterprises are constantly trying to reduce output, a detailed roadmap is a sound way to bootstrap cohesive action. It will allow you to improve your baseline assessments, target goals, tactics and capabilities.
The secret to swaying the C-suite? Calculating risk, laying out security products' worth in terms of managing this risk, and justifying their place in the budget. With the proper data and analysis, senior-level executives will understand that security posture cannot be measured by pocket depth but rather by dollars not spent on mitigating security problems.