PodChats for FutureCISO: Demonstrating the business value of cybersecurity investments

As Cybersecurity Awareness Month 2024 unfolds, it is critical for organisations, especially in Asia, to emphasise the tangible business value of cybersecurity investments. With cyber threats becoming increasingly sophisticated and pervasive, cybersecurity is no longer just an IT issue; it is a fundamental aspect of business resilience and growth.

Demonstrating the return on investment (ROI) from cybersecurity initiatives can help secure ongoing support from stakeholders, drive informed decision-making, and foster a culture of security within the organisation. By clearly articulating how cybersecurity investments protect assets, ensure compliance, and enhance customer trust, CISOs and CIOs can align security strategies with broader business objectives.

Asked to describe the current state of cybersecurity investments, Steve Wilson, chief product officer at Exabeam begins by noting that there are different ways of approaching this, and some CISOs take a pragmatic point of view — weighing the cost of a breach and the cost of mitigating factors relative to that.

“However, in the current climate, organisations no longer evaluate their budgets based on comparing the ROI to the cost of a breach. Instead, they’re focusing on broader business metrics, driven by potential significant disruption to a business, in the case that they fail to secure their business operations,” he observed.

Turning cybersecurity investments into a competitive advantage

Wilson says businesses, particularly in IT services, are increasingly facing customer demands to demonstrate strong cybersecurity practices and posture. He adds that customers would ask critical questions about data encryption, disaster recovery plans, and certifications that demonstrate strong security measures in place. He believes that while requirements may vary by different regions, the fundamental expectations are the same.

“For instance, by achieving compliance with a security framework, you could evaluate its cost not just in terms of how it can enhance your top line and ability to sell rather than just means to avoid the cost of a breach,” he continued.

Measuring the effectiveness of cybersecurity programs

According to Wilson most cybersecurity professionals often focus on the backlog of vulnerabilities identified by the numerous tools deployed. With this approach, he reckons the challenge lies in determining which to prioritise, address and balance the availability and resources of the engineering, IT, and security teams.

He posits that savvy CISOs prioritise metrics like ‘mean time to respond’ as it is measurable and critical. “While vulnerabilities are inevitable, quick responses to security signals can prevent further damage. It is often one’s ability to respond swiftly that is more critical in maintaining a strong security stance,” he elaborated.

Strategies for quick wins in cybersecurity

Wilson opines that in cybersecurity, one could determine these by addressing critical vulnerabilities that demonstrate immediate impact, like closing a major security gap, but some quick wins may come from building goodwill within the organisation.

“We had a client who overhauled their password rotation policy which mandated frequent password resets without considering risk, leading to an uptick in support tickets and unhappy users,” he recollected. “After analysing and introducing technologies alongside smart decision-making, it reduced the frequency of resets, improved their risk posture and saved them millions in lost productivity. This was a quick win with clear ROIs, improved productivity and risk management.”

Aligning cybersecurity with business objectives

Wilson says clear top-down alignment from the CEO is crucial. In modern organisations, he continues, business priorities are largely: acquiring new customers, retaining existing customers and expanding customer relationships.

“CIOs and CISOs should ideally take a step back from their individual goals and focus on how they could support these broader objectives. How can CISOs improve their cybersecurity posture to improve customer retention?

“How can CIOs use technology to enhance satisfaction? By ensuring that everyone is working towards the same goals, and looking at how each organisation can support these goals provides a better foundation for success,” reiterated Wilson.

Telling the cybersecurity story to non-techie

At a global roundtable of CISOs, Wilson recalled one CISO declaring that his role was more of a copywriter than a tech expert — translating jargon-heavy technical information into a language that the CEO, CIO and the board could easily comprehend.

“The challenge is making sense of such details as they’re coming through in real-time. Emerging AI technologies like LLMs are proving invaluable in translating complex technical information into clear, plain language, making it easier for non-technical stakeholders to grasp ongoing issues.” Steve Wilson

Adopting standards and accreditation

Wilson suggests CISOs and CIOs adopt accreditations such as ISO standards or FedRAMP (U.S.), involving audits, to demonstrate compliance.

“When AI adoption surged with ChatGPT, there was minimal guidance around security. I got involved with the Open Worldwide Application Security Project (OWASP) — having developed the first framework looking at LLM and AII security vulnerabilities in a few months,” he opined.

He acknowledges that standard bodies (NIST and MITRE) need time to catch up and often lag behind the rapid pace of technology. “While certifications hold value, organisations should be selective about relying solely on them for guidance,” he commented.

Outlook for 2025

Wilson says CISOs and CIOs need to recognise the rapid evolution of threats, particularly with how fast AI has been developing. He concedes that while companies are heavily investing in AI for cyber defence, hackers, including well-funded nation-state actors, are also advancing rapidly.

“We’re going to see automated attacks and other adversarial AI techniques. Given this fast-paced environment, security leaders must engage forward-looking vendors who not only address current threats but also have a forward-looking vision for the next 6, 12, 24 months,” he continued.

Click on the PodChats player to hear Wilson share his insights on how organisations can demonstrate the business value of cybersecurity investments.

Key Questions for CISOs and CIOs

1. What is the current practice for quantifying the ROI of cybersecurity investments?
2. Is it possible to leverage cybersecurity investments to gain a competitive advantage?
3. What metrics can be used to measure the effectiveness of cybersecurity programs?
4. What is a quick win in cybersecurity and what strategies can be implemented to demonstrate quick wins in cybersecurity?
5. How can CISOs/CIOs align cybersecurity goals with overall business objectives?
6. What is the most effective way to communicate cybersecurity risks to non-technical stakeholders?
7. What frameworks or standards can CISOs/CIOs adopt to benchmark their cybersecurity efforts?
8. What partnerships or collaborations can enhance an organisation’s cybersecurity capabilities?
9. We are coming into 2025, how can CISOs/CIOs ensure that their cybersecurity investments are scalable and future-proof?
10. What is your vision in your role of chief product officer for Exabeam?