It’s a fact, if you and your firm are not actively making investments into cyber security you are falling behind. There are many reasons why firms are not advancing this cause, but it’s most likely because they have either security complacency (check out my previous blog on the subject) or struggling to show an ROI on this type of spending. Cyber security spending can appear to be an intangible object if you aren’t sure what you are looking for.
Unfortunately, it’s almost as if CFO’s and business leaders think of cyber security as some wizard behind a shiny curtain pushing buttons and making lights blink or stop blinking. That’s generally because they simply can’t comprehend what they can’t touch or see, so lets show them. In this article I’m going to demonstrate some non-traditional ways to accomplish this as well as one of the most traditional.
Perform a mock data breach – Start by prioritizing your mission-critical data if you haven’t already done so. Then randomly mock between 1 and 5 % of that data and move it to a simulated environment called mock hacker. Put a list together of everyone that you’d have to notify if that mock data was stolen and the impact of that data loss ranging from: lost customers, media exposure, money for legal fees and reputational impact. Assign a dollar impact to this mock data breach at just between 1-5% of the most important data and how your firm will recover the lost revenue. As an example, in a recent meeting with the head of one of the leading healthcare companies in the east coast, he told us that each stolen record costs them hundreds of dollars. Multiply this by a breach of 10,000 records, and you get to huge numbers.
Understand what your competitors are doing – Talk with your vendors and research groups to understand what your market peers are doing. You do this for product research so why not for cyber security? Then put a price tag on an estimated 10% and 50% of your customer’s leaving your firm because they no longer have confidence in their data being protected. You must build and maintain your customers trust or there is a real cost associated with not doing so.
Show metrics around increased unexplainable network traffic – This is quite simple and can be based on fact. Work with your network group to establish a baseline for legitimate network traffic. Then compare that to any increase in unexplainable network traffic over time. The difference is most likely due to untrusted computers or rogue hackers trying to get into your network. You can analyze the IP addresses for their origination, determine the number of invalid login attempts, show if there are an increased number of account lockouts and then make a basic statement based on this important network data. This can show if the probability of a network breach is increasing. This has a cost associated to it.
Analyze the metrics for your DLP and Antivirus systems – Understanding what your DLP and AV scanners are doing is critical. This can show if someone is trying to get data into or out of your systems and applications. Often times this operational data gets ignored and it can shed light on what’s really happening. Don’t you want to know if these trends are increasing and what is driving this data?
Consolidate and decommission systems and applications – This is the most traditional way and likely the most familiar metric for the CFO and business leader to understand, but often can't stand on its own. Simply show the recurring cost that will be eliminated when a system or application is shut off. This should include things like licensing, vendor support and maintenance, staff support costs, data center space, costs of SSL certificates provided to business partners, etc. These are real dollar savings.
Outlining the non-traditional ways along with the traditional ROI metrics is the most logical and sure way to get your cyber security spending approved. It’s still going to take some negotiating and explaining, but the more metrics, scenarios and data points that you’ve considered the more likely you will be successful.
So go put a clear and concise cyber security investment business case together, explain it in layman’s terms and you’ll get more from your CFO and business leaders.