Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Measuring Cybersecurity ROI Part 1: The Value of Mitigating Risk
CISOs and their teams face a daunting task fending off cybersecurity threats, which at present number in the hundreds of millions. But security leads also have to deal with a challenge that can be equally frustrating – articulating the value of their operations to leadership.
The root of the issue is the difficulty in making the case for security as a competitive strategic advantage. Leadership often sees cybersecurity in negative terms – as a “necessary evil” or sunk cost. In this view, it adds nothing to the bottom line, and a lack of senior-level buy-in can marginalize the security operation. (Computer Weekly)
Many CISOs don’t have a “seat at the table” and often report difficulty securing the necessary budget to safeguard the company. As one CISO puts it, “traditionally, boards have prioritised sales, HR and customer services above IT security because they do not consider security as having any strategic value or they do not see cyber risk on the same level as other forms of business risk.”
In this environment, it becomes especially difficult to cultivate a security culture, which is essential to mitigating the human element in the risk equation. Twenty-seven percent of respondents in a recent study said “a lack of senior executive buy-in or understanding” is one of the primary factors inhibiting a strong culture of cybersecurity. (Security Magazine)
That culture may sound like it’s hard to quantify – after all, you can’t really count culture – but culture drives patterns of behavior which can be shown, via red team exercises, to substantially drive up the cost of penetration, making the organization a far less attractive target for cybercriminals. (Security Magazine)
Another major problem with the general undervaluation of cybersecurity is it impedes development of a productive, proactive security strategy. Nearly two-thirds of UK IT decision makers say their security program is “continuously reactive due to constantly changing legislation, threats, and other external factors.” (HelpNet Security) This means the cybersecurity program is dictated, post facto, by the landscape instead of the organization’s business objectives.
Admittedly, it’s easier to talk about ROI for “positive” initiatives – ones that drive clear, identifiable revenue – than “negative” ones, where only the expenditures are obvious and quantification appears to hinge on understanding things that didn’t happen.
Still, it’s critical that CISOs and their C-Suite colleagues be able to discuss security initiatives in a shared language. This means the security team needs to find ways of expressing their value in business terms.
As it turns out, fully articulating cybersecurity ROI involves a comprehensive look at both the positive and negative.
First, the obvious: cybersecurity absolutely is a cost of doing business. (CS Hub) A huge piece of cybersecurity’s value rests with its ability to prevent breaches, and that risk can’t be overstated. A recent Cisco study predicted cybersecurity will drive and safeguard “an estimated $5.3 trillion in private sector digital Value at Stake in the next 10 years,” and the average cost of a data breach is roughly $4 million. It’s not hyperbole to say many businesses are a hack away from existential catastrophe. (Business2Community, CS Hub)
So, how to state the ROI for prevented breaches?
As RTSP Magazine explains, “ROI should be based on how much loss the organization could avoid due to the investment.” Their analysis relies on the SANS Institute’s Return on Security Investment (ROSI) framework. (ITSP Magazine)
The first two-thirds of that equation can be fuzzy, but tools – such as the FAIR framework – exist to inform the quantification of risk. (WeForum)
In part 2 we address cost savings and the value of cybersecurity in the M&A process.
Let us know what you need, and we will have an Optiv professional contact you shortly.