Intelligent CISO Issue 10 | Page 38

FEATURE will contribute to the business, it is very likely that the board will not invest in cybersecurity leaving the company open to cyberattacks. The future of cybersecurity needs to change in businesses. We need to stop talking about cybersecurity and talking only about business risks and how cybersecurity solutions can be used to reduce the business risk contributing to the business success. Organisations continue with failing to measure cybersecurity successfully, focusing on only the threats and not the value of business risk reduced. Sometimes cybersecurity is simply too complex. Many companies have invested in technologies that claim to solve all the problems. However, when it comes to getting them working they are so complex that proper installation takes years – and that’s even before they get integrated into existing cybersecurity investments. When documentation is hundreds of pages long and takes highly skilled resources to ensure it’s working, it becomes clear why the industry is short of cybersecurity professionals. It is especially critical not to underestimate these costs, as they can drastically skew calculations. In addition to this, I would add: Ruggero Contu, Research Director, RUGGERO CONTU, RESEARCH Security Solutions Worldwide (RC) DIRECTOR, SECURITY SOLUTIONS WORLDWIDE Similar to other areas, demonstration of ROI is often key to obtain financing from IT budget allocation, however, as a recent Gartner survey has demonstrated, with security often it is difficult to provide a direct correlation between economic benefits and security investments. This is because security aims to keep things running as normal and prevent/detect/ remediate incidents, so demonstrating ‘normality’ is not necessarily seen by management as a compelling reason to spend on security versus other areas that can demonstrate direct economic gains. Furthermore, security is often relying on metrics that are very technical, making it difficult for security professionals to communicating value to the business. 38 Best practice advice for CISOs on calculating ROSI Carolyn Crandall, Chief Deception CAROLYN CRANDALL, CHIEF Officer at Attivo OFFICER Networks AT DECEPTION ATTIVO NETWORKS I would suggest using various modelling frameworks to communicate the impact. The fundamental models could be based upon: 1. Brand impact and revenue loss 2. Penalties/fines/increased insurance premiums 3. Cost of incident response 4. Impact to business services and whether this opens or closes opportunities to provide services that give a business advantage 5. Ongoing hygiene of security system – what investments need to be made to ensure that security is working reliably, is covering all attack surfaces and ever-evolving attack types This could be pen testing but ongoing tools to validate will mitigate the need for a ‘root canal’ that will occur if the attacker remains undetected for lengthy periods of time. This should factor in not only actual damages but also the time needed for cleaning up the network and erasing the attacker’s footprint. Ultimately, don’t limit ROSI to simply IT asset management. It is also important to factor the costs into overall digital risk management and impact to the organisation’s business operations. Issue 10 | www.intelligentciso.com