Enterprise organizations collectively spend billions of dollars each year on security tools and systems to protect them from the evolving threat landscape. However, despite the huge investments made each year, the number of data breaches continues to rise.
For the past decade, IT security budgets have been considered untouchable items in budgets, largely shielded from the cuts imposed on other departments due to the existential threat that large-scale data breaches represent.
However, the fear and uncertainty of an impending global recession is forcing business leaders to carefully consider every line item in their operating budgets. The company’s CISO can no longer assume that his company’s budget will be exempt from cost-cutting measures. Instead, you should be prepared to answer pointed questions about the overall cost-effectiveness of your security program.
In other words, businesses understand the need to invest in robust security tools and experts, but the question is: How much is enough? How can you adjust your security spending to maintain an acceptable level of risk exposure?
VB event
AI Impact Tour – New York
We’re partnering with Microsoft to be in New York on February 29th to discuss how to balance the risks and benefits of AI applications. Request an invitation to an exclusive event below.
request an invitation
If security leaders are to have any chance of protecting or increasing their budgets in the coming years, they need to be armed with empirical data and able to clearly communicate the business value of security investments to those holding the company’s purse strings. There will be. .
Quantifying security calculations
More than 20 years ago, prominent technology commentator Bruce Schneier coined the term “security theater” to describe the practice of implementing security measures that feel like they improve security but actually do little to achieve that security. I made up a word.
These days, many boards of directors are wondering whether the accumulation of all these security tools and systems is providing a financial return on investment, or is it just a kabuki play designed to make them feel like their valuable corporate assets are safe? I’m starting to wonder if it’s just a type of. Be well protected.
CISOs are similarly faced with the fact that there is no standardized approach to measuring information security effectiveness. What exactly should security leaders measure? How do they quantify risk based on metrics that businesses actually understand? Do more tools actually mean better protection? Or will it just add to the headaches of management and complexity?
These are just some of the questions a CISO must be able to answer when presenting and rationalizing an operating budget to the executive committee.
Key strategies to justify your security budget
By leveraging access to data on past security incidents, threat intelligence, and the potential impact of security breaches, enterprise CISOs can better understand the resources needed to effectively defend against potential attacks. make informed decisions.
Consider these four data-driven strategies as a starting point for defining and communicating the value of cybersecurity to business leaders.
1: Define meaningful metrics
Security metrics are notoriously difficult to capture and communicate in a way that is consistent with other generally accepted business metrics and KPIs. His ROI for products and services that directly generate revenue is very easy to calculate, but it becomes even more opaque when trying to quantify his ROI for security tools that are primarily focused on preventing financial losses. Become.
While ROI is a metric that other companies can easily understand, it may not be the most meaningful one for communicating the value of IT security. Similarly, a report on metrics related to the number of attacks detected and thwarted may sound impressive, but has no bearing on what business leaders actually care about.
What ultimately makes sense is that metrics can be aligned to key business functions and priorities. This means that if your organization’s primary goal is to reduce the impact of possible interruptions on your operations, this can be tracked and monitored over time.
2: Quantify operational risk
To demonstrate the value security teams provide to an organization, they must first quantify the risk and then demonstrate how effective security management can reduce that risk. Determining your organization’s risk tolerance by defining clear thresholds for acceptable risk levels ensures that identified risks are addressed in a timely manner before they become too large or unmanageable. It will be. Other practical ways to measure and quantify operational risk include:
- Probability: The likelihood that a particular security risk will occur. It can be measured using historical data, expert opinion, and third-party research such as Verizon’s annual Data Breach Incident Report (DBIR).
- Impact: The potential impact of a security breach includes financial loss, reputational damage, and legal/compliance liability.
- Management: Identify what measures are in place to prevent, detect, or minimize risks. This may include technical controls (such as firewalls and antivirus software) as well as organizational controls (such as policies and procedures).
3: Integrate tools and vendors
Over the past decade, enterprise security teams have been shopping around for security tools. According to research from Ponemon, the typical enterprise deploys an average of 45 cybersecurity tools to protect and ensure resiliency of their networks.
One of the main factors driving the adoption of new tools is the constantly evolving threat landscape itself, which has given rise to a cottage industry of startups addressing specific attack vectors. This has led organizations to acquire various niche point solutions to address and fill the gap. Not only do you have to consider the cost of licensing many of these interconnected and overlapping tools, but there are also ancillary costs to managing them.
By taking a platform approach with shared data and a control plane, CISOs can unify security tools, streamline operations, and reduce gaps and vulnerabilities between traditional silos.
4: Prioritize visibility
You can’t effectively manage what you can’t see. Because of this, it’s important to prioritize investing in tools and processes that provide broad network visibility so you know what’s in your environment and where the greatest risks lie. Other ways to improve your security posture:
- Agentless: This makes it easier to cover cloud workloads. You don’t need to ensure proper permissions, just enter your AWS credentials and configure the API to scan your environment within an hour.
- Endpoint visibility: Most attacks start with individual endpoint devices, providing an easy route for attackers to escalate their privileges, so visibility is critical, especially if employees continue to log in from remote locations. Very important.
Over the past decade, security leaders have fought hard to win seats in boardrooms. If you want to stay there, you need to build a culture of accountability based on empirical data so you can best communicate and streamline the value of cybersecurity.
Kevin Durkin is Uptycs’ CFO.
data decision maker
Welcome to the VentureBeat community!
DataDecisionMakers is a place where experts, including technologists who work with data, can share data-related insights and innovations.
If you want to read about cutting-edge ideas, updates, best practices, and the future of data and data technology, join DataDecisionMakers.
You may also consider contributing your own article.
Read more about DataDecisionMakers
