Have you ever felt the need to calculate the value of your cybersecurity program or to justify why you need resources to do your job? If so, you’re not alone. Proving the value of the work we do is something we all must face as cybersecurity professionals.
Trying to prove the value of your cybersecurity program can seem like a murky endeavor. However, there’s a right way and a wrong way to go about it. Let me explain by way of example.
The Boy Who (Almost) Cried $80 Million
Twelve years ago, Larry Ponemon put out the first-ever study on cybersecurity ROI. As part of his research, the study used information provided by compromised organizations to calculate the cost per data record of a breach. It ended up being $182 per data record.
As the company executive responsible for justifying the investment our company was making in cybersecurity, I was fascinated by the study and saw it as an opportunity to validate some of the cybersecurity initiatives I had been championing within the organization. While mindful of Larry’s findings, I worked with our DBA’s and IT leaders to determine how many records we had in our company’s key business systems that included sensitive data. Once I found out how many total sensitive data records we had in our systems, I multiplied that amount by $182 to get the “worst-case scenario” cost of a security breach for my company. It ended up being $80 million.
I knew that if I went in and told our board we were exposing ourselves to a potential $80 million loss, I would get laughed out of the room, because at the time there were very few data breaches that were reported to cost anywhere in that range. Quoting that number would undermine my message and credibility. Trying to use that metric to justify our investment in cybersecurity could have ended up costing me budget, resources, or a career!