CISOs being asked those questions should look beyond the topic itself and face the underlying issues it might be hiding.
If the reporting line of the CISO is the oldest ongoing topic of discussion amongst cyber security communities, security ROI is probably the second oldest…
In reality, it hides several endemic problems which have been plaguing the security industry for the last two decades.
First of all, it downgrades cyber security to a mere matter of investments – that would have to be justified – implying that lack of funding and lack of resources are at the heart of low-security maturity levels and the cyber-attacks epidemic we have been seeing for the last 10 years. In fact, problems have largely been elsewhere…
Large organisations have committed billions collectively to cyber security over the period; it’s governance and cultural issues which have led to adverse prioritisation and execution failure.
While it might be the case that some organisations have not invested enough in relation to the threats they face, the security ROI discussions are often the sign of arbitrary programmes of work driven bottom-up by a CISO, either replicating recipes applied elsewhere or listening to the sirens of some tech vendors, when not simply pushing their own pet projects. Cyber security did not appear overnight with the COVID pandemic. Any large organisation will have a history and a legacy of some sort in that space spanning two decades.
Understanding the investments made in the past, what has worked, what hasn’t (and the reasons why), and showing decision-makers that lessons are being learnt around past execution failures would be more important to build trust than a financial ROI calculation which will be invariably plagued by disputable assumptions and estimates, leaving it vulnerable to internal politics and horse-trading around numbers.
Because very often, trust – or the lack of it – is at the heart of the context here, in particular when the ROI question comes top-down onto the CISO. Many CISOs take it as a normal business question and a natural justification to give, while in fact, it tends to mean “I am not sure I understand what you are trying to do and why you want to spend so much”.
It is a rare concern at the top these days, in the face of non-stop cyber-attacks and data breaches; boards are often more concerned with demonstrating they are spending enough on cyber. So the persistence of the cyber security ROI debates is to be seen in my view as…
a symptom of the distrust and the lack of positive engagement between the CISO and senior stakeholders, and a defence mechanism on their part.
Any large organisation would have spent millions or tens of millions – if not more – on cyber security over the past decades; you cannot blame senior execs for being suspicious when they see in front of them yet another investment plan in that space…
Instead of jumping straight into a financial ROI debate where they are likely to lose credit, CISOs who want to drive large-scale transformative programmes around cyber security should focus first on building trust with senior stakeholders and solid communication channels with all of them, working across silos towards business units, geographies and support functions such as Legal, HR or Procurement, as well as IT and their suppliers.
Even if they are working towards the delivery of a long-term large-scale roadmap, they should split it into cheaper manageable chunks, to demonstrate their execution capabilities with simple achievable tasks, addressing business expectations, before getting to meatier (and more expensive) matters. By then, their own clarity of vision and their ability to execute should carry them sufficiently to avoid arbitrary – and often useless – discussions around ROI.
That’s the key with discussions around cyber security ROI: They shouldn’t be happening at all in the current context, given the non-stop avalanche of cyber-attacks we are seeing worldwide.
CISOs being asked those questions should look beyond the topic itself and face the underlying issues it might be hiding.