# Opener

Show Cyber ROI, Don’t Just Say We’re Secure

Published by Dale Gonzalez

CISOs know this scenario all too well.

They research supportive cyber stats based on industry standards. For example, a company sized similarly to ours, they think, has a seemingly appropriate cybersecurity strategy. Therefore, we should adopt one just like it.

They leave their offices, PowerPoint presentation in hand, armed with the confidence that comes through identifying encouraging evidence. They take the CEO through the recommended plan certain that their proposed budget will assuredly warrant full support.

But then the CEO ( or CFO, CIO depending on the corporate structure) asks, but where’s the ROI? I mean, all you’re ostensibly saying, the CEO continues, is that I spend $250,000 in exchange for sleeping better at night? Why not just give that money to my marketing department and take a Xanax instead?

The Conversation is Shifting to Wiser Cyber Spending

The bottom line is that cost deferment numbers are always less compelling than new revenue numbers. Which is why executives are reluctant to spend more even when they’re told that their firewalls prevented 80 trillion malicious attacks. How does one quantify that? And if lightning struck already, why build a lightning rod on the off chance it strikes again? Compounded to this, the media tends to focus solely on cyber-attack stories involving large corporations which means smaller-to-mid sized corporations don’t see themselves as potential victims. Without a discernible return, the argument gets harder and harder.

But the industry is changing in its approach to ROI, and when it comes to cybersecurity, they’re finding a way to substantiate the benefit through projected and definitive numbers. In fact, certain established hedge funds are even adding value to a publicly traded company with a well-functioning cyber program.

A Cyber Risk Brainstorm to Remember

It all starts with the CISO asking themselves what it is they seek to accomplish through a cybersecurity program–for example, if shorter incident response times are desired, or whether they require a documented incident response process. It is now their imperative to try and decompose those strategies into a series of discrete activities that would satisfy those needs. If incident response times is a priority–as it should be when factoring that the more immediate the forensics performance, the lower the overall costs are in responding to the incident–then the overall costs are lower in responding to the event.

Cyber Risk Quantification is not a Mythological Black Box

Generally speaking, costs are cut by ⅔ if you discover the incident within the first 24 hours, which means if you’re using the Axio platform, you’ve got a series of formulas that help you calculate expectations around the cost of the attack. A CISO can then report to a CEO that while a forensic analysis on 70% of the assets in case of an attack would otherwise be necessary, I believe if we have a good incident response program, we’ll only have to do forensic analysis on 30% of the assets. Now you’ve got the CEO’s attention.

A CISO can then plug the 30%–instead of 70%– into the formulas that they’ve built and then immediately see a drop in whatever expense associated with that cyber-attack. But more importantly, now they’re also seeing an amount that qualifies as a return number. It’s only through an assessment like this that a CISO can make an argument with a dollar associated with it.

Suddenly, there’s a KPI associated with how and whether the cybersecurity program has succeeded in terms of reaching program maturity, a KPI that can flow easily into various formulas thus identifying the core steps in what you have to do to drive your incident discovery rate down to a particular number. This will enable companies to formulate a strategy that includes specific controls like next gen firewalls, breach readiness tool, or a better ticketing system. But even more importantly, it’ll help CISOs communicate effectively as they learn the language of CEO.