Security practitioners need to figure out how to achieve their security goals with the budget they have. They must also show that the security program is effective in protecting the organization. They must be able to justify the cybersecurity products and tools they have purchased and articulate the return on investment (ROI).
Now there is a tool for that. SecurityScorecard has released a Scope and ROI Calculator to help security practitioners determine high-level estimates to illustrate an organization’s overall security posture.
“In times of economic uncertainty, strengthening cybersecurity postures should be a priority, as bad actors take advantage of volatility,” says Cindy Zhou, chief marketing officer at SecurityScorecard. “Organizations need to be able to know and articulate whether the cybersecurity products and tools they have purchased are providing a good return on investment.”
Security teams must consider a wide variety of risk factors when considering what to buy for their security programs, Zhou says. The list includes network security, DNS health, patch cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, social engineering and knowledge of their digital supply chain.
Calculate the risk to justify the expenses
Quantifying cyber risk in financial terms enables organizations to understand the financial impact of a cyber attack, gain insight into the the risks posed by their suppliers, and quantify the reduction in expected losses if the problems are solved. For example, a cybersecurity product may cost $200,000; however, it can defend against a $5 million data breach, saving the organization significant funds in the long run.
“CISOs need to be able to quantify their company’s cyber risk to justify spending on their cyber technology stack,” says Zhou.
Another key factor is the ability to purchase cyber risk insurance and the associated premiums.
“Many insurers use SecurityScorecard to assess whether a company is eligible for a policy,” she says. “CISOs and CFOs need to demonstrate their security posture just to be considered for policy.”
The interactive calculator is based on data collected for Forrester Consulting Total Economic Impact of SecurityScorecard. Forrester Consulting built a financial model using a total economic impact formula.
As part of the study, the consultants quantified the effects of using SecurityScorecard in the enterprise, including increased risk management efficiency, technology efficiency and consolidation, and improved of security. This approach not only measures costs and cost reduction within the organization, but also assesses the enabling value of a technology to increase the efficiency of overall business processes.
The ROI calculator is getting bigger SecurityScorecard Cyber Risk Quantification (CRQ) Capabilitieswhich are designed to help clients understand cyber risk in financial terms as part of an overall business risk analysis.
Obtain management buy-in
The C-suite and the board are used to focusing on the financial performance of the organization, so the CISO must be able to quantify cyber risk in financial terms, says John Hellickson, CISO of land at Coalfire. In this way, the CISO can also justify and prioritize cyber investments.
This allows all parties to make informed decisions about the financial impact and business outcomes of these investments.
“Vindicating and accounting for the people, processes and technology already in place ensures that current mitigating controls are factored into overall risk calculations,” says Hellickson.
From Hellickson’s perspective, validating the completeness of cybersecurity strategy, knowing the maturity and risk level of current investments, and estimating how future investments will improve that maturity and effectively manage that risk are critical to gaining trust and management support.
“The focus of spending on ensuring you won’t be hacked was pretty much dropped when fear, uncertainty and doubt tactics broke down nearly a decade ago, when year after year , investments in security have continued to increase,” he adds.
Developing a cyber program strategy that demonstrates positive business results goes much deeper into the CISO’s ability to influence other executives.
For years, organizations have increased their spending, especially application security spending, and they still haven’t been able to achieve the kind of application portfolio coverage they want, says John Steven, CTO by ThreatModeler.
“When organizations view this expense as unsustainable, let alone the requested rate of growth, security leaders need to demonstrate that they are not just getting things done, but doing more for less than CISOs. counterparts or those who preceded them,” he said. said.
Steven explains that, as common as breaches are in the industry, they’re likely rare within a single organization, so “time since breach” should be a pretty drowsy indicator of activity and performance. results.
“Focusing on enabling delivery or friction with customers can have a lot more impact,” he says.