Putting Real Numbers to Measuring : Cybersecurity Costs and Risk Mitigation
By Fred Streefland, Chief Security Officer for North and Eastern Europe at Palo Alto Networks.
As a chief information security officer, one of the biggest challenges I faced was in measuring the value of our organization’s cybersecurity investment. Fortunately, tools and methodologies to translate cybersecurity more specifically into costs and benefits are now available, so CISOs can be more detailed than ever before in measuring the effectiveness of risk mitigation.
By attaching real numbers to cybersecurity—this is how much a breach will cost us, this is how much we can reduce risk by making this specific investment—CISOs can raise the level of conversations with board members and C-suite executives. This makes it simpler for business leaders to make informed decisions about how much to budget for cybersecurity and to determine the effectiveness of spending to mitigate risk.
If you are a board member or C-level executive, it is time to raise the bar for yourself and your CISOs in terms of measuring the impact of cybersecurity investments and budgets. In this article we explore some of the methodologies and tools that CISOs can now use to be more accurate, specific and realistic about how much cybersecurity will cost, and how effective it will be in reducing risk.
The Importance of Risk Assessments and Roadmaps
Cybersecurity risk mitigation is more critical than ever. With most companies embracing digital transformation, the impact of a breach can be crippling, in terms of money lost, damage to brand reputation and partner/customer goodwill. At the same time, the threat landscape is increasingly sophisticated, better funded and more coordinated.
For CISOs and cybersecurity teams in your organization, every action and investment should be made with the goal of mitigating risk. There are two critical steps your teams should take:
- Cybersecurity Risk Assessment: Step one is a complete and thorough cybersecurity risk assessment. As I’ve previously noted, not doing a risk assessment is the greatest risk. Part of the assessment is to measure the organization’s state of cybersecurity across a wide range of variables that adhere to industry-standard best practices. I often use the ISO 27001 Security Framework, which covers 14 different domains, each of which has a direct impact on risk. These include security policies, compliance, asset management, operations security, supplier relationships and other key factors. The important point for business leaders to understand is that by using ISO 27001 or another standard as a baseline, your teams can measure where the organization stands and can identify areas needing improvement and additional investment. Other suitable frameworks include the National Institute of Standards Cybersecurity Framework and COBIT 5 For Information Security—as long as the framework is understandable and measurable for the board.
- Strategy and Roadmap for Risk Mitigation: The second step, once you’ve completed your assessment, is to develop and implement a strategy and roadmap for risk mitigation. The overall strategy should tie into the business goals, i.e. understanding the costs of a potential breach and how much risk the organization is willing to tolerate, identifying the “crown jewels” etc. In building the roadmap, the CISO and security teams should refer to the underlying framework, such as ISO 27001, NIST or COBIT 5, to identify important risk sectors that must be addressed. These can be factors such as lack of visibility, lack of control, overcomplexity, lack of personnel resources and others.
Measuring the Costs and Financial Impact of Risk Mitigation
The next important step is to “connect the dots” in terms of translating the risk mitigation roadmap into actual benefits. On the one hand, it is fairly simple to look at the direct costs of cybersecurity in terms of investment in technologies, operations and personnel. On the other hand, the step that continues to be elusive for CISOs, is to specifically measure the financial impact of that investment in terms of risk mitigation.
That’s where CISOs can be creative in using tools and technologies at their disposal, in addition to leveraging their relationships with leading cybersecurity vendors to help guide and inform their roadmaps.
Starting with ISO 27001 or other industry standard frameworks, CISOs can create a “holistic security umbrella” that measures where, when and how changes in policies, investments, personnel, etc., can deliver improvements. Next, the organization can look at the costs involved in making those changes and create specific targets and timing for risk mitigation initiatives.
The harder part has been to translate these investments into actual, measurable financial impacts of risk mitigation. One of the methods I’ve found to be effective in measuring risk mitigation is to leverage accepted industry research and best practices.
Leveraging Available Research and Best Practices
One tool I recommend is the Cost of a Data Breach Report conducted by Ponemon Institute on behalf of IBM. This easily accessible public report provides a wealth of valuable information that CISOs can use to measure the financial impact of their risk mitigation investments.
In the 2019 Cost of a Data Breach Report, the average total cost of a data breach was $3.92 million and the average cost per lost record was $150. The report provides extremely useful granular information, such as:
- Organizations undergoing a major cloud migration during the time of the breach saw a cost increase of $300,000;
- System complexity increased the cost of a breach by $290,000;
- Encryption reduced breach costs by an average of $360,000;
- Business continuity management in the aftermath of a breach reduced the total cost by an average of $280,000.
- Conducting extensive testing of an incidence response plan could reduce the cost of a breach by an average of $1.23 million.
- Organizations that had not deployed automation experienced breach costs that were 95% higher than breaches at organizations with fully deployed automation.
These are just some of the relevant measurements contained in the report. By extrapolating the costs in this research and relating it to investments, CISOs can provide business decision-makers with a clearer picture of the value that risk mitigation is bringing to the organization.
To take one example from above: If the cybersecurity risk assessment shows that encryption is a weakness, the organization could invest $200,000 in encryption to reduce risk by $360,000 per year. Or it could invest X amount in extensive IR testing to reduce risk by an average of $1.23 million per year, depending on the size of the company, the region and the industry.
The Ponemon report offers breakdowns by region and industry, so it makes it easier for CISOs to tailor the research to their specific organizations. And because it is numbers-driven, CISOs can create visual presentations and conduct conversations in the language of business, i.e., total costs and returns on investment.
By using simple, widely accepted methodologies and research such as the ISO 27001 Security Framework, NIST, COBIT 5 and the Ponemon Cost of a Data Breach Report, CISOs can paint a much clearer picture of what the business is actually paying for and what they achieve in cybersecurity risk mitigation.
As a business leader, whether in the boardroom or the executive suite, it is reasonable to ask for measurable information that correlates cybersecurity costs with risk mitigation benefits. The tools are now there for CISOs to be more specific in connecting the dots between costs and risk. Therefore, as a business leader, you don’t have to settle for anything less.
Fred Streefland is chief security officer for North and Eastern Europe at Palo Alto Networks.