Enterprise organizations collectively spend billions of dollars every year on security tools and systems to protect them from an evolving threat landscape. Yet, despite the massive annual investment, the number of data breaches continues to rise.
For the past decade, IT security budgets have been considered an untouchable line item in the budget and have been largely shielded from cuts imposed on other departments due to the existential threat that a major data breach represents.
However, the fear and uncertainty of an impending global recession is forcing business leaders to take a hard look at every entry in their operating budget. Enterprise CISOs can no longer assume that their budgets will be exempt from cost-cutting measures. Instead, they must be prepared to answer pointed questions about the overall cost-effectiveness of their security program.
To put it another way, while the business understands the need to invest in robust security tools and expert practitioners, the question now becomes, how much is enough? How might their security spending be adjusted to still maintain an acceptable risk exposure level?
VB Event
The AI Impact Tour – NYC
We’ll be in New York on February 29 in partnership with Microsoft to discuss how to balance risks and rewards of AI applications. Request an invite to the exclusive event below.
If security leaders are to have any chance of defending or increasing their budget in the years ahead, they’ll need to arm themselves with empirical data and be able to clearly communicate the business value of their security investment to those who hold the corporate purse strings.
Quantifying the security calculus
More than two decades ago, the renowned technology pundit Bruce Schneier coined the phrase ‘Security Theater’ to describe the practice of implementing security measures that provide the feeling of improved security while actually doing little to achieve it.
These days, many executive boards are beginning to wonder if the accumulation of all these security tools and systems are delivering an economic benefit commensurate with their investment — or if it’s merely a form of Kabuki theater designed to make them feel that their valuable corporate assets are being adequately protected.
CISOs are likewise challenged by the fact that there is no standardized approach to measuring the effectiveness of information security. What exactly should security leaders be measuring? How do you quantify risk in terms of metrics the business actually understands? Does having more tools actually keep us better protected or does it just create more management and complexity headaches?
These are just a few of the questions that CISOs must be able to answer as they present and rationalize their operating budget to the executive board.
Key strategies to justify your security budget
By leveraging access to data on past security incidents, threat intelligence and the potential impact of a security breach, enterprise CISOs can make more informed decisions about the resources needed to effectively defend against a potential attack.
Consider these four data-driven strategies as a starting point for defining and communicating the value of cybersecurity to business leaders:
1: Define meaningful metrics
Security metrics are notoriously challenging to capture and communicate in a manner consistent with other accepted business metrics and KPIs. While ROI is fairly straightforward to calculate for a product or service that directly generates revenue, it becomes murkier when trying to quantify the ROI of security tools, which are primarily focused on preventing a financial loss.
While ROI is a metric that’s easily understood by the rest of the business, it may not be the most meaningful to communicate the value of IT security. Likewise, reporting on metrics related to the number of attacks detected and prevented might sound impressive — however, it’s disconnected to what business leaders actually care about.
What’s ultimately meaningful is the ability to align metrics to key business functions and priorities — so if, for instance, an organization’s primary goal is to reduce the impact of possible disruptions on its operations, this can be tracked and monitored over time.
2: Quantify operational risk
To show the value that the security team provides to the organization, you need to start by quantifying risk, then demonstrate how that risk is being mitigated through effective security controls. Determining an organization’s tolerance for risk by defining clear thresholds for acceptable risk levels can help ensure that any identified risks are addressed in a timely manner before they become too large or unmanageable. Some other practical ways by which to both measure and quantify operational risk might include:
- Probability: The likelihood that a particular security risk will occur which can be measured using historical data, as well as expert opinions and third-party research such as Verizon’s annual Data Breach Incident Report (DBIR).
- Impact: The potential consequences of a security breach, including financial losses, reputational damage and legal/compliance liabilities.
- Controls: Identify what measures are in place to prevent, detect or minimize risk. This can include technical controls (such as firewalls or antivirus software) as well as organizational controls (such as policies and procedures).
3: Consolidate tools and vendors
The past decade has seen enterprise security teams go on a security tools shopping spree. A Ponemon study found that the typical enterprise has deployed 45 cybersecurity tools on average to protect their networks and ensure resiliency.
One of the main drivers of new tool adoption is the constantly evolving threat landscape itself, which has in turn spawned a cottage industry of start-ups addressing specific attack vectors. This has led to organizations acquiring an assortment of niche point solutions to address and close gaps. Not only are there cost considerations in licensing these dozens of interconnected and overlapping tools, there is an ancillary cost attached to managing them.
By embracing a platform approach with a shared data and control plane, CISOs can consolidate security tools, streamline operations and reduce gaps and vulnerabilities between legacy siloes.
4: Prioritize visibility
You can’t effectively manage that which you cannot see. This is why it’s essential to prioritize investment in tools and processes that provide broad network visibility to know what’s in an environment and where the greatest risks lie. Other ways to improve security postures:
- Go agentless: This can make it easier to get coverage of cloud workloads. No need to secure the correct permissions, just enter AWS credentials, configure the API and an environment can be scanned in less than an hour.
- Endpoint visibility: Because most attacks begin on individual endpoint devices and provide attackers with an easy route to escalate privileges, visibility is crucial, especially as workers continue to log-in from remote locations.
For the past decade security leaders have fought hard to gain a seat at the boardroom table. If they are to retain that seat, they will need to build a culture of accountability based on empirical data so that they can communicate and rationalize the full value of cybersecurity.
Kevin Durkin is CFO of Uptycs.
DataDecisionMakers
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!