Showing investors and top managers your security return on investment is not an easy task. But for a CISO, Return on Investment (ROI) in cybersecurity is their Key Performance Indicator and is often among their Objectives and Key Results. A whole science of Cybersecurity Economics exists to deal with optimal security investment, but it goes far beyond what we could cover in a blog post. Instead, we will show how to demonstrate security investment efficiency in real life.
Why must you demonstrate the effectiveness of security investment? This one is simple: because otherwise, no one will be able to see it. Security is a tricky thing: unlike software features or business objectives, it is obscure. Investing in features and sales obviously pays off or does not, based on the investment’s effectiveness and many other factors.
The point of investing in security is less apparent. After all, the best thing that may happen if your security investment is effective is that nothing happens. Cybersecurity Economics teaches security managers how to identify and measure the prevented loss of security incidents. “Prevented” loss meaning that the loss never occurred because the CISO has made the right choice when investing company resources.
Science aside, what good indicators of effective cybersecurity investment show that you have put the money in the right place? We could name five.
1. Everyone gets hacked, and you don’t
Well, this is the simplest one. There is a jungle out there, and the cybersecurity wildlife is rough and challenging. Thus, if you are still in business, it already means something. Cybercriminals herd bots in unprotected systems, ransomware is on an all-time high, and if there is a vulnerability in your defenses, someone has probably already exploited it. You just don’t know it yet.
Crypto extortion and ransomware are bad enough, but they may miss the target by their victims’ pure luck. From time to time, though, a global network worm pandemic happens, that does not leave any stones unturned. WannaCry, NotPetya, and the mass compromise of MS Exchange servers are excellent examples from recent history. Avoiding such a cyber tsunami is a good indicator that your security program moves in the right direction. It may not be a guarantee that your cybersecurity defenses are at the top of the world, but it objectively proves that they are way above the average.
As the main reasons for compromise remain the same – employees prone to phishing, systems left unpatched, and passwords being weak – it is still easy to identify the weakest links in your cybersecurity and quickly eliminate the most prevalent vulnerabilities. And the next time there is a global malware pandemic, it will show off as your company stands out of the tens of thousands of its victims.
2. You look for the signs of getting hacked, and you find none
There is another very valuable indicator of you doing an excellent job as a cybersecurity manager. That is to pay a lot of attention to the incident signal from your apps, systems, and networks and not being able to hear much. Of course, there will always be a lot of noise, and filtering it for valuable data is crucial for this task.
The good thing about cybersecurity is that it is never easy. Especially when you are in a blue team trying to defend your company assets from malicious hackers. One of the critical parts of this job is to have a clear vision of what is going on in the infrastructure. Collecting, aggregating, triaging, and analyzing security events is an essential cybersecurity discipline.
Every company could benefit from establishing a Security Operations Center, but not every budget could afford appropriate investment and talent. If your organization is too young for a SOC, there are other ways to achieve the necessary visibility. Of course, we will never get tired endorsing Thinkst Canary for their outstanding job creating an affordable security alarm system.
3. You pay others to hack you, and they have a hard time
The third way to make sure you do good in cybersecurity investment is to try out if professional hackers could break your defenses. There is a large market for offensive cybersecurity services. These ethical hackers are ready to simulate real-world cyberattacks and report on how well you thwart them.
Finding a good penetration testing firm may be challenging, but you can follow the advice we gave in another post. Once you found a capable company, it becomes an excellent supplement to your overall cybersecurity effort. If you found an excellent pentesting team, chances are they will hack you a few times no matter how hard you tried. First, it will be some network vulnerability, then some legacy web app, then social engineering. It is OK: after all, this is what you pay them for.
However, after getting a pentesting report from them and making all recommended fixes and adjustments, you will see the change. At a point, after a few pentests, you will find yourself in an unusual position where your pentesting firm praises your effort and recommends raising the bar and trying out more sophisticated red teaming exercises instead of classic pentesting ones.
4. Everyone pays high insurance premiums, and you don’t
Cybersecurity insurance is an excellent thing. It is even better when you have it. It is best if you have it and do not use it. There is a catch, though: in recent months, as cybercriminals have increased the volume of their operations, cyber insurance premiums have skyrocketed.
When cyber insurance just popped up a few years ago, it was as inexpensive as it was unpopular. Until about five years ago, an average organization’s chances of getting hacked were relatively low. Ransomware has changed the game. If before, to get hacked, you needed to do something valuable or important, now the only prerequisite is an internet connection. Nowadays, cybercriminals don’t spend time selecting targets. Instead, they hack everything they can and figure out how to get the ROI later.
During the last six months, the 50% increase in ransomware (and a constant 9% monthly increase in the first quarter of 2021) has changed the insurance pricing. If before virtually everyone could afford the cyber insurance with zero due diligence, now you will have to pay much higher – in some cases tenfold – premiums to get it. Insurance underwriters are working hard to incorporate the change in the risk landscape into their companies’ products, and the changes are not in your favor.
Unless, of course, you can demonstrate that your cybersecurity risks are significantly lower than those of their other clients. Proper risk management results in lower residual risks left to insure, which means lower premium payment. The logic is simple: show the insurance company that you did your homework, and they will provide you the same coverage for a lower fee.
5. When you finally get hacked, it is not a big deal
As every security professional knows, getting hacked is not a matter of if; it is a matter of when. Accepting an incident’s inevitability is a simple truth one has to adopt early in a career to avoid many disappointments that follow. In the end, amateurs try not to get hacked. Professionals try not to stay hacked.
So, if you did everything just about right when the day comes, you come prepared. You have your security operations in place to indicate and localize the incident. Your incident response team, in-house one or a contractor, are ready to engage. All employees know how to deal with the temporary unpleasantness of the crisis. Lawyers have their law enforcement contacts at their fingertips. Top managers and PR have the texts ready for release. The red-teaming folks are prepared to learn from the occasion and incorporate it into their regular exercises. And the most important of all is that everyone, including you, has lower stress levels along the way.
Of course, these are just the five most straightforward steps you can take to demonstrate the return on your security investment. A proper application of cybersecurity economics will allow you to streamline this process and integrate it into your general management planning and reporting processes.
We at BSG are always happy to help you with your strategic security planning and optimizing your cybersecurity investment. While throwing money at the problem never really helps in this industry, we know that this is what many companies constantly do. Unfortunately, there is plenty of vendors and products that have this as the business model. Optimal security investment always needs a solid economic background lacked by many CISOs.
We help organizations build the necessary strategic awareness about cybersecurity economics at the top management level and assist security managers apply it in practice. To know more about our strategic cybersecurity workshop, get in touch by email at [email protected].