Specifying cybersecurity investment is no easy task. CISOs face an escalating threat environment, an increasingly saturated security provider market, and budgets that never stretch far enough. When it comes to pitching for additional budget, the situation is made more difficult due to the inherent challenges in proving ROI of cybersecurity spend. It is rather like selling insurance: CISOs must try to put a value on what hasn’t happened – the breaches and disruptions that their strategy will prevent.
About the author
Ian Schenkel, VP EMEA, Flashpoint.
While it is far easier to justify security investment in the wake of a costly breach, it’s not possible and definitely not desirable to run a security programme on an entirely reactive basis. So, what can CISOs do to make the case for proactive investment and get buy-in from budget holders?
Assemble the evidence to build a coherent business case
A critical aspect of building a strong case is showing that the planned investment is based on a solid understanding of what the business needs, backed up with evidence. Ultimately, this is true of every business department. For example, the marketing team develops its strategy following in-depth market research and business intelligence that it uses to spot opportunities and counteract disruptive competitors. Security is not that different. CISOs need a wealth of intelligence around the generalised and specific threats targeted at the business, their likelihood, how they play out and the potential business impacts if an attack succeeds.
However, this ‘market’ intelligence is harder to come by for the CISO than it is for other departments because of four key factors: the relative lack of historical data; the high proportion of “unknowns”; the speed at which security threats evolve and, finally, the illicit nature of the players involved – you can’t run a focus group for cybercriminals.
Assembling and analysing information requires access to multiple sources. Security teams should engage with relevant Information Sharing and Analysis Centres (ISACs) to understand the general industry threats and experiences of peers in the sector. On top of this, privileged threat intelligence from closed sources, including private or invite-only forums, chat services platforms, illicit marketplaces, payment card and account shops and paste sites can identify company-specific threats and ongoing cyberattack campaigns that need to be factored in to cyber defence strategies and used to direct budget spend where it is most needed.
This evidence helps CISOs with the challenge of identifying and – as much as possible – quantifying the threats the business faces. However, while understanding threats is a good start, the next issue is communicating those threats to budget decision-makers in a way that prompts action.
Translate cyber risk into business risk for the board
Risk management is nothing new for boards and executive teams. However, many still lack the skillset to correctly infer cyber risk from technical information. This often results in a misalignment between business risk and cyber risk that prevents them from appreciating the true value of cybersecurity investment.
To overcome this, CISOs need to make their case in terms that the board understands by framing cyber risk in the language of business risk. Business risk is any factor that threatens to disrupt the organisation’s ability to function. Clearly cyber risk is a big part of that, but it is a relative newcomer. The main risks understood by boards are financial, compliance, operational, strategic, and reputational. Obviously, data breaches or ransomware attacks, for example, can have impacts in all these areas, so it is clearer for boards if threats and the investment needed to mitigate them are clearly linked to one or more of these five business risks.
When cyberthreats are framed in terms of the impact that a successful breach would have on the business – lost customer data, compliance failures, interrupted systems, direct financial theft – it is easier for the board to appreciate the ROI of preventing that threat, because it is working with a familiar lexicon.
Making the case for intelligence investment
But what of the business risk intelligence (BRI) programme itself? How does the CISO get buy-in for investment in intelligence? This goes back to the market research analogy: you wouldn’t allocate marketing spend without solid evidence that it is being directed at the right targets, so why would you build a cyber security strategy without detailed knowledge about the environment you’re operating in? CISOs need to know what the business needs in order to make sure it has the right tools to keep data, customers, and IT infrastructure safe. This way, the business is investing proactively, not reactively, in cybersecurity.
Incidentally, the BRI used to build the cybersecurity investment case is relevant to wider security and commercial concerns, too. An effective BRI programme can uncover evidence of physical security threats, insider breach risks and fraud campaigns. Just one example is returns fraud in the retail sector; we see tactics discussed and facilitated time and time again in forums and chat rooms where cybercriminal convene.
BRI can also help manage M&A risk and due diligence, by identifying companies being targeted by threat actors. And as companies increasingly become liable for the security of their partners and suppliers, BRI can be used to identify supply chain weaknesses on a timely basis so mitigating action can be taken.
Ultimately, the more knowledge a business has about the risks it faces, the better decisions it can make. BRI can be linked to every kind of strategic business risk and by providing evidence of credible threats, quantified as much as possible, it can prove invaluable in helping CISOs strengthen the business case for their cybersecurity investment programme.