What steps can the finance team take to measure the ROI of cybersecurity investments and demonstrate their value to IT or the CISO? How collaborative is the process between teams?
Sort By:
Oldest
CFOa year ago
Create and invest in partnerships with relevant stakeholders such as the technology department, the executive team and the board. Externally, build the same strong relationships with banks, insurance broker and security vendors. Have that short-list of phone numbers you will call should anything happen. Ideally all attacks can be averted in time and no financial, brand or other damages done. The ROI than becomes a measure of comfort for the organization as a whole.
Cyberattacks, whether financially significant or not, are disruptive to the business, nonetheless. Investing in cybersecurity and raising the awareness thus becomes crucially important for the organization and all of its stakeholders.
Even for something like breaches etc. it can be a problem. Using an average figure can be misleading since the average can include firms that are much larger/smaller than you. It you're a small shop selling $250K online then saying that the cost of an average breach is $500K doesn't make sense.
Depending on which jurisdiction(s) you fall under you may be obligate to disclose breaches or not. One common technique is to use a variety of KPIs and make sure that they align with the overall corporate strategy. Personally though, I think that if you want to show value you should have an audit done and this should include a penetration test. The goal of this would be show where the weaknesses are in the system and what sort of data someone might be able to compromise. In general its very hard to justify spending $200K to upgrade your credit card processing server, but if you can show that there might be a weakness and that if the server is compromised the firm will face $1M in liability and a loss of reputation then things can change. If you're lucky then the red team might find weaknesses that you were not aware of and help you remediate them before someone exploits them. Trying to get buy-in to do an audit with red-team might be a challenge but if you position it as way to test your security and people to make sure that things are working as intended, hopefully you can make the case well enough and leadership can see the case well enough to move ahead. If you need help you can also show the number of times per day/hour that someone is probing your network/website that you've caught/blocked.
Good luck, let me know if you need anything else.