Have you ever felt the need to calculate the value of your cybersecurity program or to justify why you need resources to do your job? If so, you’re not alone. Proving the value of the work we do is something we all must face as cybersecurity professionals.

Trying to prove the value of your cybersecurity program can seem like a murky endeavor. However, there’s a right way and a wrong way to go about it. Let me explain by way of example.

The Boy Who (Almost) Cried $80 Million

Twelve years ago, Larry Ponemon put out the first-ever study on cybersecurity ROI. As part of his research, the study used information provided by compromised organizations to calculate the cost per data record of a breach. It ended up being $182 per data record.

As the company executive responsible for justifying the investment our company was making in cybersecurity, I was fascinated by the study and saw it as an opportunity to validate some of the cybersecurity initiatives I had been championing within the organization. While mindful of Larry’s findings, I worked with our DBA’s and IT leaders to determine how many records we had in our company’s key business systems that included sensitive data. Once I found out how many total sensitive data records we had in our systems, I multiplied that amount by $182 to get the “worst-case scenario” cost of a security breach for my company. It ended up being $80 million.

I knew that if I went in and told our board we were exposing ourselves to a potential $80 million loss, I would get laughed out of the room, because at the time there were very few data breaches that were reported to cost anywhere in that range. Quoting that number would undermine my message and credibility.  Trying to use that metric to justify our investment in cybersecurity could have ended up costing me budget, resources, or a career!

Don’t Use These Tactics to Try to Prove Your Value

Here are three common, but dangerous, tactics I see cybersecurity professionals trying to use to justify the value of their program:

  1. Calculating the cost of a breach. Many cybersecurity professionals take the same approach I did when trying to prove the value of their program. Unfortunately, the nebulous industry statistics don’t hold up in boardroom conversations.
  2. Talking about the hit to the stock price. Remember Target’s data breach in 2013 that ended up costing them millions of dollars? Well, Target’s stock price is trading higher today than it was before the breach, and the company’s reputation has fully rebounded. Executives are going to look at the long-term view and blow holes in this argument.
  3. Trying to compute security ROI. If you’ve figured out how to do this in a justifiable format, I’d love to know. In the years I’ve been in the information security industry, I’ve never been able to find someone who can present an ROI calculation without a CFO being able to completely dismantle their argument. And, when this happens in a boardroom, the rest of the cybersecurity leader’s message is undermined because their credibility has been challenged.

The above are tactics that security leaders have used for justifying the investment in cybersecurity program initiatives. While they are well-intentioned, and, in theory, could become a part of an overall perspective on risk management, each of these approaches exposes the security leader to the possibility of being challenged on the numbers or the assumptions in ways that ultimately undermine the point of the message. Instead of getting bogged down in predictions and projections, successful security leaders should focus on communicating how their programs are supporting the company’s business objectives and how the initiatives that are proposed or underway are protecting the organization against the greatest risks to its systems and data.

LBMC Information Security’s team of leaders in the information security industry is here to help. Subscribe to our blog or podcast to stay up-to-date on the latest cybersecurity news and trends. You can also explore our Security Consulting services or contact us today to learn how we can help you with information security solutions.

This blog is the eighth in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.​​