How enterprises can show the ROI of their security programmes

Organisations in the Asia Pacific region are reportedly to be 80% more prone to cyberattacks than the global average, due largely to the speed and scope of growth in the region’s digital use and connectivity.

Whether or not an organisation has been breached, enterprises often find themselves at a crossroads whenever they are asked to justify to their board the value of resources put into cybersecurity. In other words, how can the value of security or security effectiveness be measured?

Common mistakes made

Fundamentally, measurement is a data problem. Because a lot of data collected is not of high quality, it is neither meaningful nor reliable.

The average salary of security analysts, or what the average ransomware attack costs, are great examples of where they could lead to hundreds of different answers, but most of them are based on too few data points and unfounded assumptions.

Common mistakes made by enterprises when measuring security include the use of low-level operational metrics such as key performance indicators (KPIs) and key risk indicators. Using these types of metrics can cause a misplaced sense of control because they largely lack business relevance and actionability.

This method fails to provide information that enterprises need to understand how best to reduce liability. Without a baseline ascertaining what is good or bad, the KPIs that are typically used are just numbers and cannot give a great indication of the true value of the security programme.

Another point to note is the importance of making security objectives measurable and actionable.

For instance, when measuring the effectiveness against phishing, the organisation should not wait for a real attack to happen. It can run simulations, measure the percentage of employees that failed, and work to reduce the failure rate. This also has the added advantage of obtaining an idea of how great the risk is of a phishing attack succeeding, and where to deploy additional controls to compensate.

A mindset change is required

The first few steps of measuring security effectively involve a mindset change and they start with a change in the perceived value of security.

In order to help enterprises move away from associating security value with how much money was spent, there is a need to abandon the idea of security being a cost to the organisation.

Instead, security should be treated as an enabler for business innovation and growth.

Moving away from the misconception that success of a security programme revolves only around the probability of an organisation getting breached is just as crucial.

Organisations should instead be asking themselves how they can achieve resilience, and this entails recovering from a breach, ensuring data is not exfiltrated when breached, and other processes that go beyond just preventing the attacker getting in.

Understanding the business is key

CISOs and their security teams must be able to understand the business goals and objectives in order to develop a risk profile and determine the organisation’s risk appetite and tolerance.

To put it another way, they must truly understand the company strategy. Effectively reducing risk with limited resources means being targeted and investing where it matters most. It needs to be clear how something that is measured fits into the security strategy, and how it can be improved.

Use the right metrics

The crux of measuring the value of security accurately lies in picking out the right metrics and assessing performance against those metrics over a period of time.

According to Gartner, cybersecurity priorities and investments should be based on achieving a set of outcomes that are consistent, adequate, reasonable, and effective, or CARE in short. CARE is a useful framework designed to help organisations assess the credibility and defensibility of their cybersecurity programmes.

It is recommended to develop a catalogue of 20 to 30 CARE metrics that translate operational metrics into something easily understood by even a non-technical audience. These CARE metrics should be handy in assessing consistency, adequacy, and effectiveness of the security programme, among other factors.

The CISO’s role is constantly evolving and it is becoming increasingly important for those in the role to understand the risks and options for the broader business.

Only by having a strong understanding of how the business understands and manages its risk can CISOs measure the value of cybersecurity accurately, and defend the credibility of their security programmes to stakeholders.