Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Jim Jaeger, Fidelis Cybersecurity: Building a Business Case for Security that the CFO Can Understand

August 2016 by Jim Jaeger, Chief Cyber Services Strategist, Fidelis Cybersecurity

According to a March 2016 PwC report, ‘A False Sense of Security?’, that surveyed 300 Middle Eastern organizations, the region has become one of the prime targets for cyber-attacks. In fact, according to the findings in the report, in 2015, 56% of businesses in the region lost more than US$500,000 as a result of cyber incidents compared to 33% globally. Faced with this reality, organizations across the region have upped their IT security spend. However, one of the biggest challenges when you go shopping for new security tools is answering the inevitable question from finance: “What’s the value?”

Determining the ROI of a new security product isn’t an exact science. There are no hard and fast rules to follow – which is why generic ROI calculators should be avoided at all costs (pun intended).

Measuring the impact of better security is like measuring a moving target. What’s more, every organization is unique. The setup of an organization’s existing infrastructure, its size, risk level and the potential impact of a security incident, will vary significantly. Ultimately, this means that successful security strategies can look very different.

Where is the value?

On the face of it, most security tools don’t appear to save you time or money. They generate new alerts and this can swamp an already overburdened security team with investigating and tracking down new potential threats. That’s not to say that security tools have no value, however, and it’s by evaluating this that a CFO can understand the true business case for a security solution.

However, the challenges inherent in defining the ROI for security tools does not decrease the importance of defining this information and articulating it for corporate leaders and the Board. The recent explosion in the number of security vendors in the market, offering similar overlapping solutions, and their almost identical claims to “solve the security problem” makes picking a comprehensive security solution more difficult. The fact that its increasingly difficult for CIOs and CISOs to understand if and where security gaps still exist, doesn’t decrease the importance of helping C-suite executives and Board understand the value of proposed security programs and the importance of resourcing them.

In security, the biggest benefit will always be reduced risk; “buy this tool (or hire this person) and bad things are less likely to happen.” Unfortunately, this argument is highly theoretical, which doesn’t translate easily into a business case. It’s also likely that the same argument has been used for previous security procurements and consequently leads to a debate around the likelihood of data being stolen – a risky game to play.

Instead of trying to estimate the level of risk a company has in terms of security and how likely an attack may be, it’s arguably much more important to analyze the time and/or people a new tool might save and how much more efficient it could make an organization. Some key questions would be:

- Can it automate tedious day-to-day activities?
- Can it reduce requirements for highly skilled, difficult to hire security personnel?
o Will it let tier 1 analysts do the tasks of a tier 2 analyst?
o Will it allow tier 3 analysts to do the work of an incident responder?
- Does it reduce the time it takes to resolve a threat?
- Will it help consolidate the security stack e.g., reduce the number of agents operating on endpoints or the number of network security appliances in your rack?
o Will it reduce the requirements to integrate multiple security devices?
o Will it reduce the number of screens that monitoring personnel have to focus on?
- Can it improve the speed and accuracy of a company’s incident response?

To the CFO, this approach presents clear opportunities to save critical funds and enhance the ROI of security solutions. At the same time, you are reducing the risk to the enterprise of a breach which is a primary focus of the Board of Directors.

For any organization it is almost impossible to put a prediction on how much a cyber breach could cost as it isn’t only a case of compensating victims and the loss of business revenue, but also damaged reputation. No one is expecting a CFO or the Board to write a blank check for security, which is why explaining the savings an enterprise can make in terms of a more efficient security team, lower hardware costs, and minimized risk, is paramount to understanding its value.

See previous articles


See next articles