by Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea
In today’s digital era, cybersecurity stands as a cornerstone for the well-being and growth of businesses. However, even in the face of rising data breaches, ransomware, and various cyber threats, persuading the board to funnel resources into comprehensive cybersecurity strategies isn’t always straightforward.
This challenge arises primarily from the intricacies of presenting a tangible return on investment (ROI) linked to cybersecurity efforts. Most boards focus on business metrics, earnings, and strategic capital allocations, while cybersecurity centers on reducing risks and dealing with intangible elements like “emerging threats.”
Overcoming this dialogue barrier is pivotal in ensuring the board comprehends the importance of cybersecurity and recognizes its worth.
Understanding the Language of the Board
To effectively communicate with the board about cybersecurity investments, it’s crucial to understand their language – the language of finance and strategic business planning. Here are some key concepts and pain points typically expressed by board members:
Return on Investment (ROI).
A consistent concern for the board is the ROI of any potential investment. They seek clarity on the tangible and intangible benefits the company will receive relative to its investments. For cybersecurity, the gains are often about avoiding potential setbacks rather than directly increasing profits. Implementing solutions like Privileged Access Management (PAM) can provide a measurable ROI by reducing wasted time on resetting passwords, secure access to applications and systems or reducing the risk of unauthorized access by malicious attackers.
Business Risk Mitigation.
Board members understand risk dynamics well. They recognize that risks can’t always be avoided but can be monitored and reduced. In cybersecurity conversations, emphasize how the intended investment will curtail the threat of cyber incidents and align those risks to the subsequent financial losses.
Cost-Benefit Analysis.
Cost-benefit analysis is an analytical approach employed by the board to weigh the prospective benefits against the inherent costs of an initiative. Within the cybersecurity context, the advantages often involve safeguarding brand image, avoiding regulatory penalties, protecting revenue, and defending vital business data.
Long-term Strategic Value.
Board members gravitate towards ventures that promise sustained strategic advancement. Regarding cybersecurity, this involves sustaining customer loyalty, assuring uninterrupted business operations, and carving a niche advantage in the industry.
By speaking the board’s language, you can highlight the value of cybersecurity in terms they understand, making it easier to secure buy-in for necessary cybersecurity initiatives.
The True Cost of Inadequate Cybersecurity
In today’s digital landscape, cybersecurity has transitioned from being optional to indispensable. Overlooking or underinvesting in securing Remote Desktop Protocol (RDP) or Active Directory could inflict substantial immediate and subsequent expenses to organizations that dwarf their primary security investments.
Below we’ll examine some of the direct and indirect costs associated with inadequate cybersecurity:
Direct Costs.
Direct costs are the immediate, tangible losses a business incurs following a cybersecurity breach. They include:
- Incident Response: Costs linked to the identification of the breach, its containment, and removal from systems.
- Recovery and Remediation: This pertains to expenses for recovering lost data, fixing breached systems, and setting up defenses against possible future attacks.
- Regulatory Fines: Organizations might be subjected to substantial fines by regulatory authorities if they neglect safeguarding sensitive client information.
- Legal Costs: In situations where consumer information is jeopardized, there’s a potential for legal action, including attorney fees and prospective compensation settlements.
Indirect Costs.
Indirect costs, while less immediately apparent, can have long-lasting effects on a business. These include:
- Reputational Damage: Trust is a fragile commodity. A breach can drastically tarnish an organization’s image, inducing potential business losses and declining market positioning.
- Loss of Customer Trust: Following the disclosure of a breach, consumers may doubt the organization’s data security competencies, influencing both current and future business relationships.
- Operational Disruption: Major cyber incidents can halt regular business functionality, leading to productivity gaps and increased operational spending.
Consider the infamous Equifax data infringement of 2017 as an example. This incident led to the release of the personal details of 147 million individuals and resulted in direct costs upwards of $1.4 billion for Equifax. While harder to gauge monetarily, the ensuing damage to its reputation and customer confidence was immense.
The true cost of inadequate cybersecurity is multifaceted and extends far beyond the immediate financial impact. It can disrupt operations, damage reputation, and erode customer trust. Investing in robust cybersecurity measures is about reducing the risks of potential losses and safeguarding the company’s future.
Calculating the ROI on Cybersecurity
Calculating the Return on Investment (ROI) in cybersecurity can be challenging due to its intangible nature.
Unlike other investments, cybersecurity doesn’t typically generate revenue. Instead, it helps protect revenueprevent losses and secureprotects the company’s digital assets. Therefore, the ROI for cybersecurity is often calculated based on cost savings from potential threats that didn’t materialize thanks to the implemented security measures.
Here’s a basic framework to calculate the ROI on cybersecurity:
- Identify Potential Losses: Begin by determining what’s at stake if a cyberattack hits your organization. This includes direct expenses like system restoration and legal fees, as well as indirect hits like damage to your brand and erosion of customer confidence.
- Estimate the Probability of a Cyberattack: While exact predictions are hard to nail down, historical data and industry trends can offer insights into the chance of a cyberattack targeting your business.
- Calculate Potential Cost Savings: Multiply the assessed risks of a cyberattack by its estimated probability to gauge the potential savings from specific cybersecurity measures.
- Subtract the Cost of Cybersecurity Investments: Finally, deduct the cost for your cybersecurity strategies from the estimated savings to get the ROI.
For instance, if risks from a cyber incident are valued at $10 million, and there’s a 20% chance of it happening, the potential savings stand at $2 million. If you’ve spent $500,000 on cybersecurity, the ROI comes to $1.5 million ($2 million minus $500,000).
Remember, this calculation provides a simplified view of the ROI on cybersecurity. It doesn’t consider some less tangible cybersecurity benefits, such as maintaining customer trust and protecting the company’s reputation.
Start Speaking Your Board’s Language
Knowing how to talk to your board is essential when it comes to cybersecurity investments. By using language that resonates with board members and presenting your ROI calculation simply yet effectively, you can ensure that your cybersecurity investments are given the attention they deserve.
Joseph Carson is a cybersecurity professional with more than 25 years’ experience in enterprise security and infrastructure. Currently, Carson is the Chief Security Scientist & Advisory CISO at Delinea. He is an active member of the cybersecurity community and a Certified Information Systems Security Professional (CISSP).
