make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Why Boards Should Stop Searching for the ROI on Cybersecurity

08/14/2018  |  By: Mark Johnson, CISSP, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Stop. Just stop.

If you’re looking for the ROI on cybersecurity, you’re not going to find it. 

These are not words you’d expect to hear from a shareholder at a cybersecurity company, right? 

Notice that I didn’t say that cybersecurity is unimportant, though. The problem doesn’t lie in the value of information security—it’s obviously valuable. The problem lies in our conversation around its value.

Imagine:

You own ABC Widgets, Inc., and you have a warehouse where you store all your widgets.

Every day, you pay employees to work there. One of their tasks is to ensure that the warehouse is locked before they leave.

Every day, they lock the warehouse. What’s the ROI for that 5 minutes to lock the warehouse? If no one tries to break in, then the ROI is zero. If someone does, then the ROI could be everything in the warehouse.

Where’s your ROI? You’re not making money in that situation. Instead, you are avoiding losing money.

Cybersecurity is complicated, because it rarely offers a clear way to win in the traditional sense. Instead, it offers strategies to avoid losing, which are, quite honestly, hard to get people excited about sometimes. The boardroom conversation around cybersecurity must shift if we want to understand its true value.

Instead of asking how much we can make from our cybersecurity efforts, we should start asking how much we are avoiding losing with our cybersecurity efforts. That can be hard to determine, but like most things in information security, it starts with a risk assessment.

What specific risks does your organization face? What’s the risk of someone breaking into your widget warehouse and stealing your entire inventory? 

Note that risk is different for every company. It’s just as bad to spend $1 million to protect $10k of assets as it is to spend $10k to protect $1 million of assets. The purpose of a risk assessment is to help you determine the unique risks faced by your organization, and the potential impact if those risks were to be realized.

Once you’ve done that, you have a good basis for discussing cybersecurity in the boardroom. At that point, you have the background knowledge necessary to realize which risks your organization faces, their likelihood of occurring, as well as the potential impact on both revenue and public opinion of your organization.

It’s unlikely that cybersecurity will bring you unexpected mountains of profit. However, with the correct level of investment based on your risk, it can help you avoid costly mistakes and potential loss of customer trust—and it’s hard to put a dollar amount on that.

So, don’t ask how cybersecurity will increase your profits. Instead, ask how it will decrease your losses.

This blog is the first in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program. To learn more about how LBMC Information Security's comprehensive information security services, contact us today!

Posted in: Security Consulting