The economic and market slump has ignited a round of cost-cutting in organizations across the board, but the security risks don’t change just because market conditions do. It could be raining cats and dogs outside, but the hackers would still have the same purpose that they did on a sunny day.
Businesses have to understand that. So if you’re a CISO who is experiencing cuts in your budget, you’ve got to ask yourself whether you’ve done a good job giving your organization a clear view of the risks, what you’re solving for, and communicating to everyone the importance of what you’re doing. Transparency is everything, security departments can no longer be that nebulous black box where everything is a secret. Communicating value is about communicating strategy.
When we talk about budgets, I feel like information security always gets the short end of the stick because we struggle proving value in the boardroom. The communication is always one of you have to do XYZ so these bad things don’t happen, scaring everyone in the boardroom, when what we really should be discussing is value. Putting numbers behind the risk, making sure everyone has a clear understanding of the impact on the bottom line, being able to show value in preventing attrition and improving customer retention. In short, communicating the return on the security team’s investment for the business itself.
These conversations are all about metrics that you develop as a business leader. The key is to make sure you obtain the data and then be able to put it in front of your executive leadership and your board of directors.
In my organization, Customers Bank, we use something called the ROSI, which stands for Return on Security Investment. With the ROSI score, you want to be able to come up with a percentage that shows that for the security investment that you make, your organization gets this level of return by preventing breaches.
It’s the evolution of the conversation from what do we spend on security, to what do we invest, and what do our proactive measures protect in terms of company revenue. Being able to share it with your executives and your board in that way makes for a much more consistent conversation so they can understand it from a cost and a relative risk perspective.
You’ve got to demonstrate that this is money your organization has to spend – but at the same time, the security investments are contributing to the business by being able to improve its ability to retain its revenue.
It’s all about how you talk about it. From my personal experience, CISOs are still struggling to change their conversation from a technical one to a business one. They have to look at how they communicate risk and how they’re solving for it. They have to figure out how to communicate the importance of what they’re doing so they aren’t asked to cut our budgets.
I’ve been in the C-suite for 13 years, and I’ve never had a budget cut in my career. And I think that the reason for that is I’ve always focused very seriously on making people understand why I was spending money, and the importance and value of the money I’ve spent. I have very strong relationships with my CFOs, who have never found it necessary to ask me if there are a couple of dollars I can save.
When people understand the value we bring, the purpose we have, the issues we solve and the risks we prevent, we can avoid the “budget cutting” conversation.