In this age of commodity IT cybersecurity (cyber) is no longer immune to the C-level challenge to “Prove it!”
Many industries are still making deep spending cuts, and plying customers with “Cyber is ROI” and “Think of it like insurance!” simply doesn’t resonate.
Executives hear “investment” as code for “long time plus big price tag". Despite best efforts, there remains a major disconnect between cyber value and business value.
If you want to compete in the cyber market then the discussion is inevitably a hard dollars and business sense conversation: “Our time to market for mobile apps increased 50% after we deployed a secure app store solution.” Real stories, real metrics, real value.
“But we just found a zero day APT!” Not surprised. Breaches are inevitable. This approach, however, is not convincing to the finance director. Anecdotes are good, but they lack tangibility. The new reality is that there are two kinds of companies: those that know they’re compromised and those that don’t.
“So, raise the cost in the kill chain?” Okay, but to what end. Threat identification is a good thing—it’s good to know who’s been living in your house and who’s eating that last slice of pie when all are a slumber. There’s more value if you can estimate marginal benefit (and cost) so we know how much to spend. At some point, there are always diminishing returns for raising that bar. Finance folks understand that. If we want to make our case, we need to be on their page.
Here are a few of leading questions to consider. Your ability to answer questions like this will help demonstrate bona fides:
Written by good friend and colleague Michael Lucero
Many industries are still making deep spending cuts, and plying customers with “Cyber is ROI” and “Think of it like insurance!” simply doesn’t resonate.
Executives hear “investment” as code for “long time plus big price tag". Despite best efforts, there remains a major disconnect between cyber value and business value.
If you want to compete in the cyber market then the discussion is inevitably a hard dollars and business sense conversation: “Our time to market for mobile apps increased 50% after we deployed a secure app store solution.” Real stories, real metrics, real value.
There are two kinds of companies: those that know they’re compromised and those that don’t.The imperative today: products and services must work AND must deliver fast. CIOs and CSOs know they will have to have a conversation with their CFOs. As security professionals we need to help them. We must speak their language. The F&A floor is seldom impressed by products that are cool. Even less so if cool can’t demonstrably convey assurance, cost reduction or realized business enablement.
“But we just found a zero day APT!” Not surprised. Breaches are inevitable. This approach, however, is not convincing to the finance director. Anecdotes are good, but they lack tangibility. The new reality is that there are two kinds of companies: those that know they’re compromised and those that don’t.
“So, raise the cost in the kill chain?” Okay, but to what end. Threat identification is a good thing—it’s good to know who’s been living in your house and who’s eating that last slice of pie when all are a slumber. There’s more value if you can estimate marginal benefit (and cost) so we know how much to spend. At some point, there are always diminishing returns for raising that bar. Finance folks understand that. If we want to make our case, we need to be on their page.
Here are a few of leading questions to consider. Your ability to answer questions like this will help demonstrate bona fides:
- Did the tool we bought measurably decrease our per incident mitigation costs?
- Did we lower our audit costs because we had evidence-based artifacts?
- Did we increase our up-time during core productivity hours?
Written by good friend and colleague Michael Lucero
to periodic new posts so you don't miss them.Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.
