Quantify Risk, Calculate ROI

Security practitioners must figure out how to achieve their security goals with the budget they have. They must also demonstrate that the security program is effective in protecting the organization. They must be able to justify the cybersecurity products and tools they have purchased and articulate the return on investment (ROI).

Now there is a tool for that. SecurityScorecard released a content and ROI calculator to help security professionals come up with high-level estimates to illustrate the organization’s overall security posture.

“In a time of economic uncertainty, strengthening cybersecurity postures must be a priority as bad actors take advantage of volatility,” said Cindy Zhou, Chief Marketing Officer at SecurityScorecard. “Organizations need to be able to know and articulate whether the cybersecurity products and tools they’ve purchased are delivering a solid ROI.”

Security teams should consider a wide range of risk factors when considering what to buy for their security programs, Zhou says. The list includes network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leak, social engineering and knowing their digital supply chain.

Calculation of risk to justify consumption

Quantifying cyber risk in financial terms allows organizations to understand the financial impact of a cyber attack, gain insight into the risks their suppliers pose, and quantify the reduction in expected losses if issues are resolved. For example, a cybersecurity product might cost $200,000; however, it can defend against a $5 million data breach, saving the organization significant funds in the long run.

“CISOs need to be able to quantify their company’s cyber risk to justify spending on their cyber technology stack,” says Zhou.

Another key factor is the ability to purchase cyber risk insurance and the associated premiums.

“Many insurance companies use the SecurityScorecard to assess whether a company is eligible for a policy,” she says. “CISOs and CFOs must demonstrate their security posture just to be considered for a policy.”

The interactive calculator is based on data collected for Forrester Consulting’s Total Economic Impact of SecurityScorecard. Forrester Consulting constructed a financial model using a Total Economic Impact formula.

As part of the study, the consultants quantified the effects of having SecurityScorecard in the company, including increased effectiveness in risk management, technology efficiency and consolidation, and improved security posture. This approach not only measures costs and cost reduction in the organization, but also weighs the enabling value of a technology to increase the efficiency of overall business processes.

The ROI calculator extends SecurityScorecard’s Cyber ​​Risk Quantification (CRQ) capabilities, which are designed to help clients understand cyber risk in financial terms as part of holistic business risk analysis.

Get Executive Buy-In

The C-suite and board are used to focusing on the organization’s financial performance, so the CISO needs to be able to quantify cyber risk in financial terms, says John Hellickson, field CISO at Coalfire. In this way, the CISO can also justify and prioritize cyber investments.

This allows all parties to make informed decisions about the financial implications and business results of such investments.

“Justifying and accounting for the people, processes and technologies already in place ensures that current mitigating controls are factored into the overall risk calculations,” says Hellickson.

From Hellickson’s perspective, validating the comprehensive cybersecurity strategy, knowing the maturity and risk level of current investments, and estimating how future investments will improve that maturity and effectively manage that risk are key to gaining management’s trust and support.

“Focusing spending on the assurance of not being breached was almost bypassed when fear, uncertainty and doubt tactics stopped working almost a decade ago as security investments continued to increase year after year,” he adds.

Building a cyber program strategy that shows positive business results goes a long way in the CISO’s ability to influence other leaders.

For years, organizations have increased their spending, especially application security, and they still haven’t achieved the kind of coverage of their application portfolio that they want, said John Steven, CTO of ThreatModeler.

“When organizations see this consumption as unsustainable, let alone the desired growth rate, security leaders must demonstrate that they not only get things done, but get more done for less than peer CISOs or those who have come before them,” he says.

Steven explains that as common as breaches are across the industry, they are likely to be rare within a single organisation, so “time since breach” should be a fairly sleepy indicator of activity and performance.

“Focusing on delivery enablement or customer friction can be significantly more impactful,” he says.


Leave a Reply

Your email address will not be published.