Author: Tim Sadler, CEO and co-founder, Tessian
Communicating cybersecurity ROI to a company’s leadership team is no easy task. Security leaders are faced with placing a value on things that haven’t even happened, like data breaches, service disruptions and loss of customers. They need to justify security investment and acquire budget to protect organizations from the growing list of threats that could impact the future of the business.
Then there’s the problem of speaking a different language. Cybersecurity metrics are often communicated in complex, technical language that is difficult for the CEO or other business functions to understand. But translating cyber risk into business risk has never been more important, as many organizations face significant budget cuts amid COVID-19.
A comprehensive cybersecurity program is a business-critical function. With three tips, CIOs and CISOs can better communicate cybersecurity ROI by stressing why these programs are a must-have for their organizations, demonstrating the business value of security solutions and building a strong security culture.
Translate Cybersecurity Solutions Into Business Enablers
Cybersecurity should not be treated as a siloed department, but rather an integrated part of overall business functions. One way to communicate the far-reaching value of a cybersecurity strategy is to walk leadership through the consequences of a data breach — loss of customers, data, revenue, intellectual property and more — as these consequences directly affect a business’s bottom line. By connecting the dots for non-IT executives, they’ll be able to better acknowledge the importance of strong security practices.
Cybersecurity solutions can also become a unique selling point for the business, rather than being limited to prevention and remediation. Amid regulations like HIPAA, CCPA, and GDPR that dictate how organizations handle sensitive data, a cybersecurity framework can enable the business by being a competitive differentiator. By investing in tools and personnel and being transparent about how your organization protects data, the company can actually bolster credibility and trust amongst prospects, existing customers and clients.
Focus on Metrics Unique to Your Organization
Evidence is a key component of communicating ROI, but what’s most important is using the right proof points and quantifying specific threats and overall risk for an organization.
Instead of using general statistics about overall risk, CISOs and CIOs can use security tools to calculate the potential exposure of the business itself based on organizational data. It’s also helpful to look at the specific types of attacks or phishing scams that target the particular industry. Security news and threat-intelligence-sharing organizations can be used to gather this information. Using data that is more specific to the organization will make the risk more tangible and the need for a solution more urgent.
Simulation tools are also effective for demonstrating the likelihood of a successful attack. Similarly, hiring a penetration tester can spotlight specific network vulnerabilities and justify investment.
Create a Positive Security Culture
Engaging the whole organization to help them understand the value of a cybersecurity program is not easy. Technical risks are often difficult to translate across departments. Meanwhile, policies and procedures that ensure good security habits can be seen as an impediment to employee productivity.
This is why a positive security culture is so important. By using techniques like gamification, positive reinforcement, or interactive content like videos and podcasts to promote security practices, CISOs can engage fellow employees and get more buy-in from executives. These strategies help everyone, regardless of department or level of seniority, understand the risks and responsibilities regarding security and how each employee plays a crucial role.
One major benefit of a positive security culture is that it creates in-house evangelists who can demonstrate the value of cybersecurity. It will also empower security-aware employees to become the organization’s greatest cybersecurity asset. Simple human error causes the majority of security breaches. Getting employees invested in security contributes to overall data protection and cybersecurity objectives.
Ultimately, communicating the value of cybersecurity depends on translating cyber risk into business risk, and making security a guiding principle for your larger organization. With risks and challenges related to remote working becoming the new normal for many organizations, it’s critical that IT leaders engage all employees in shared cybersecurity awareness.
About the Author
Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email like data exfiltration, accidental data loss and phishing. Tim has since built the company to over 160 employees in offices in San Francisco and London, and raised over $60m from leading venture capital funds. Tim was listed on the Forbes 30 Under 30 list in technology.