Intelligent CISO Issue 10 | Page 37

T The importance – and challenges – of ROSI Carolyn Crandall, Chief Deception CAROLYN CRANDALL, CHIEF Officer at Attivo Networks DECEPTION OFFICER (CC) AT ATTIVO NETWORKS CFOs and CEOs would be ecstatic to see detailed and specific ROSI, especially if it could be boiled down to a dollar figure. This would streamline budget assignment and approvals as you could easily calculate a quantifiable benefit. The challenge is that security is much like insurance, you hate to spend the money on it but are extremely grateful that you have it when needed. Ultimately, security is more of a risk calculation. How much risk are you taking and what are the consequences if you don’t invest. Fines, insurance hikes, FEATURE Is it a guarantee? No, but the odds are less favourable when you don’t have the resources best suited for the need. The concept of a kicker and security are similar, there is no silver-bullet so you need all the positions covered. If you try to shortcut it, it may be all the opponent needs to win. Game over. The challenge is that security is much like insurance, you hate to spend the money on it but are extremely grateful that you have it when needed. Joseph Carson, Chief Security Scientist, JOSEPH CARSON, Thycotic CHIEF (JC) SECURITY SCIENTIST, THYCOTIC lost revenue, hit to brand reputation and incident response costs can be calculated, however assigning ROSI to one device can be hard as security is a system and only one chink in the armour can bring the whole system down. For cybersecurity to be successful in any company it must contribute to the business success. In order to get support and commitment from the executive board, the CISO must show a return on security investment for it to be a strategic part of the overall company business. If the CISO is unable to communicate effectively to the executive board on how cybersecurity To use an American football analogy, it is like playing the game without a kicker to kick in the field goal. Security can be compared to being in the final seconds of the game, but without the kicker, you need to run the play, which can be more complex and riskier. If you have the kicker, you win, without the kicker you may not. www.intelligentciso.com | Issue 10 37