Being able to determine the ROI of security investments is a complex, albeit necessary, task when organizations make security investments. Simply put, the goal is to demonstrate how the benefits of the organization’s security strategy outweigh the risk of not investing.
Of course, there is always risk. Bad things will happen no matter what, and no enterprise is truly immune to attack. In fact, according to the 2015 Verizon Data Breach Investigation Report, 60 percent of the time attackers are able to compromise an organization within minutes.
As a result, the CISO must be extremely effective with whatever budget IT is given to protect the organization. Fortunately, according to a recent survey, the increase in awareness of breaches has helped CISOs, with the percentage of IT budget allotted to security increasing to as high as 11 percent for larger organizations and 15 percent for smaller businesses.
The primary issue CISOs need to address is how much of an investment is enough. After all, even an infinite budget will not prevent every last breach or incident. A prudent CISO will communicate the current risk posture including any policies, procedures and controls in place to help protect the organization from threats, whether internal or external. The CISO ultimately needs to explain that risk exists regardless of investment, and then effectively outline the goal of reducing risk without impacting business operations. Bottom line, the days of a moat around the castle no longer exist.
The challenge here is that most non-security executives feel safe and secure because they simply don’t know what they don’t know. This puts responsibility on the CISO to ensure that those within the organization are properly educated as to what risks the organization faces, especially within their specific industry. After all, a financial services organization with a significant number of customer-focused mobile access points will understandably have different risks than an airline parts manufacturer.
However, CISOs need to walk a fine line here. If the CISO constantly plays the role of a doomsday prognosticator, the executive team will quickly turn down the volume. The goal is to communicate in business terms with business leaders to achieve agreement.