How do you convince a company board of directors that there is a return on investment (ROI) for something that doesn't happen?
That is not a new question. It is the ongoing, persistent question that IT security managers face when they are defending a budget, especially when they are seeking an increase. They will face it even more as multiple studies have shown the chances of a cyber breach continue to increase. As Gartner has famously been saying for several years, “prevention is futile.”
There are some effective answers, according to those on a panel titled “Measuring ROI for Cybersecurity: Is it Real, or a Mirage,” at the MIT Sloan CIO Symposium this week. Most of them involve putting a value on “what if?”
Some of it, said Christopher Porter, vice president and CISO at Fannie Mae, involves just doing the math. If a breach results in the compromise of the credit data of a million customers, then even if providing a year’s worth of credit monitoring is only $20 per account, “that’s $20 million,” he said. “Then you figure in things like legal fees, and you can start estimating it.” Porter said Fannie Mae uses the FAIR (Factor Analysis of Information Risk) Model that, according to the organization’s website, “describes what risk is, how it works and how to quantify it.”
[Related: -->10 ways CSOs can achieve ROI on a network solution]
Ransomware is a different equation, he said, but can be calculated by the amount of downtime involved. But that doesn’t make it easy, panelists agreed. James Kaplan, a partner at McKinsey, said it can be difficult to quantify the loss of intellectual property (IP). Among the relevant questions are: “Can the person who stole it use it?” he said.
Andrew Stanley, CISO at Phillips and the panel moderator, agreed, noting that his company generates about 3,000 patents per year, “but not all of them are monetized at once. I can’t tell you immediately what one is worth. But I can say what the portfolio is worth,” he said. “If I can say to the board that they’re putting $200 million at risk, that monetizes it in a way they can understand.”
[Related: -->Security ROI: Fact or Fiction?]
At some point, panelists agreed, cyber insurance providers will get better at estimating the value of breaches. But that component of the industry is still in its infancy compared to decades covering property and vehicles. “They just don't have the data yet,” Stanley said.
The reality, said Jim Cupps, senior director at Liberty Mutual, is that there is a long way to go. “I don’t think interactions between boards and CISOs have become a value proposition,” he said.
That, Porter said, will require more education. “Cybersecurity is viewed as the CISO’s problem,” he said. “But ultimately it’s an enterprise problem. My job is to educate them about that.”
Stanley agreed that is, “a difficult task, but it is getting better. Boards are learning. They need to know, and as it becomes more of a regulatory issue, they want to know,” he said. “Wise CISOs can educate the board and then get the budget they need to do the job.”