Short one on ROI in Cybersec – it’s about what you can show.
The clear visible desired state is a valid starting point if IT Security strategy (and every strategy to be frank). The problem is the perception of security and the spending on it. As William Webster (member of the Homeland Security Adviosry board) said, “Security is always too much to this day is not enough.“
During conversations with our Clients, we confirmed that taking minimizing and management of risk (financial sector is best at this) as foundation for IT security strategy is the best approach. The goal – despite different different budgets and maturity levels – is the same.
And how to manage the risk? By making threats visible.
- By controlling where the data lies or actual data – access to it, operations and transfering
- By implementing resource management (devices, data sources, identity, accounts).
- By implementing new structures such as Zero-Trust or Extended-Detection & Response.
To be on safe side during the Board meetings you need to be aligned with you key metrics connected to above and security in general. Those can take many forms.
- More reactive, like the number of incidents by type is certain period, mean time to react (to incident) (MTTR), mean time to detect (MTTD), break-in attempts, and the number of unidentified devices on the network.
- „Proactive” ones for checkpoints of learning level and vulnerability exposure & mitigation. Examples can be phishing test success rate, security awareness test results, average days to introduce patches, percentage of fully updated devices in network or percentage of incidents reported by business personel.
Too often we fall into the problem of a “shiny object” in which you want to see that everything will be done the way we want it to – including technological products. Rarely, the product only by itself can be a 100% return on investment. The effect is the quality of the tool + the effectiveness of the people who use it.
If the security leaders focus on providing visibility and reporting what their teams can unravel – they can prove to the Board that their organization can quickly detect threats and react to them. Which assures business continuity.
Remember – anydata is always better than none. Your task is to outperform alternative (which often is not data & visibility at all).