T
The importance – and challenges
– of ROSI
Carolyn
Crandall,
Chief Deception
CAROLYN
CRANDALL,
CHIEF
Officer
at Attivo Networks
DECEPTION
OFFICER (CC)
AT
ATTIVO NETWORKS
CFOs and CEOs would be ecstatic to see
detailed and specific ROSI, especially if
it could be boiled down to a dollar figure.
This would streamline budget assignment
and approvals as you could easily
calculate a quantifiable benefit.
The challenge is that security is much
like insurance, you hate to spend the
money on it but are extremely grateful
that you have it when needed.
Ultimately, security is more of a risk
calculation. How much risk are you
taking and what are the consequences if
you don’t invest. Fines, insurance hikes,
FEATURE
Is it a guarantee? No, but the odds are
less favourable when you don’t have the
resources best suited for the need. The
concept of a kicker and security are
similar, there is no silver-bullet so you
need all the positions covered. If you try
to shortcut it, it may be all the opponent
needs to win. Game over.
The challenge is that
security is much
like insurance, you
hate to spend the
money on it but are
extremely grateful
that you have it
when needed.
Joseph
Carson,
Chief Security Scientist,
JOSEPH
CARSON,
Thycotic
CHIEF (JC)
SECURITY
SCIENTIST, THYCOTIC
lost revenue, hit to brand reputation
and incident response costs can be
calculated, however assigning ROSI to
one device can be hard as security is a
system and only one chink in the armour
can bring the whole system down.
For cybersecurity to be successful
in any company it must contribute to
the business success. In order to get
support and commitment from the
executive board, the CISO must show
a return on security investment for it
to be a strategic part of the overall
company business. If the CISO is
unable to communicate effectively to the
executive board on how cybersecurity
To use an American football analogy, it is
like playing the game without a kicker to
kick in the field goal.
Security can be compared to being
in the final seconds of the game, but
without the kicker, you need to run the
play, which can be more complex and
riskier. If you have the kicker, you win,
without the kicker you may not.
www.intelligentciso.com
|
Issue 10
37