Your choice regarding cookies on this site
Our website uses cookies for analytical purposes and to give you the best possible experience.
Click on Accept to agree or Preferences to view and choose your cookie settings.
Once seen as a barrier to innovation, chief information security officers (CISOs) are increasingly showing how they can help their organizations to achieve strategic goals. As part of our interview series with leading CISOs on how they not only ensure security but also prove its commercial value, we focus on business impact and ROI. Other interviews in the series explore the critical role of security metrics and CISO leadership skills in showing business value.
Featured CISOs:
• Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications
• Becky Pinkard, CISO, Aldermore Bank
• Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group.
How can CISOs demonstrate the business impact of their strategies?
Brian Hintze: This is interesting question, because on the surface our impact as security heads is often perceived as negative. Security is a cost of doing business, so the function is not generally seen as an enabler. By implementing certain controls I may actually be causing some heartache, making it a bit harder for the business to accomplish its goals. It’s certainly hard to demonstrate the positive impact in some cases.
On the other hand, at least every week I’ll receive a request for proposal from a potential customer or a security questionnaire from an existing customer wanting to understand how we’re protecting their data and our network connections to them. If we can’t meet their requirements, we may lose that business.
![]() |
Becky Pinkard, CISO, Aldermore |
Does the ability to show the business impact of data security influence the backing that CISOs receive from their boards?
![]() |
Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications |
Is calculating the ROI of security realistic? Do boards expect that?
Hintze: Although I’ve never actually had to calculate an ROI for a security project here, there are certainly some models for doing so. But it’s challenging, because ultimately it comes down to an educated guess — what’s the percentage risk that you are going to have a security breach? Being able to defend such numbers in front of a business leader is alawys tough.
Pinkard: You hear a lot about ROSI (return on security investment) but seldom see it expressed quantitatively. The closest I’ve seen is taking the average industry reported cost per breach, for example, applying that against the cost of a new anti-phishing solution and, after deployment, describing trend lines against inbound volumes.
Watts: There is a shift towards that expectation of calculating ROI. Measuring an empirical ROI for a holistic security program is still rather challenging, but a good place to start for now is the ability to demonstrate that it is helping the business to achieve its goals.
Can CISOs prove that their security programs are enablers rather than barriers?
Hintze: I definitely think so. Many a time we’ve had to connect to a customer who is an IT service provider and do this in a way that meets its requirements. If we can’t provide a secure solution, we won’t be able to meet the customer’s needs and we’ll therefore have problems, be they contractual or reputational.
There’s almost always a solution, but it may take us two or three months to provide it. That’s when it looks as if we’re a barrier. We need to talk to the people involved in projects and be part of the planning, instead of coming in at the end after a contract has been signed and we’ve been backed into a corner.
It’s also important that we can talk to business leaders not only about current projects but also about where the organization is going. What are they trying to accomplish in the future? If I understand what they want to do — where they think the business will be in six, 12, 18 months — I can prepare. That way, when that project comes on board and they sign the agreement with a customer, I’m ready to go. I can make it really quick for us to be able to work with the customer, which in itself can give the business an advantage.
Pinkard: It’s certainly possible to show security is not just a barrier. And you need people in your team who believe that security is an enabler and who can speak in a language that the business understands.
Watts: The best way to prove it is by driving cultural change over the longer term. At the Domino’s Pizza Group I have worked closely with our CIO and leaders in the broader business to promote the ideology of ‘shift left.’ That has entailed moving security to the earliest stage of a project and shedding the ‘accredit and regulate’ persona that the function once had — or the notion of the security team as ‘the fun police,’ as it was once described to me.
Factoring in security at the requirements-elicitation stage (or, even better, the feasibility stage) reduces the drag on projects that’s caused by having to retrofit security. And it makes release and sign-off a formality — involving the least cost, complexity and time.
It’s crucial that the business can appreciate the value of its relationship with the security function. It’s also crucial for the security function to recognize the value it can offer the business as a consultant, critical friend and value creator in unlocking the potential of security in the cycle of innovation and business development.Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group
I’ve worked hard to squash the perception that security is the “no” function in my business. The most effective CISOs are those who work with the business to identify potential solutions, with pros and cons, enabling it to make informed decisions rather than inhibiting innovation and business development.
When that word spreads, it is amazing how quickly it breaks down traditional barriers to engagement. My life is much easier when someone from the business starts a conversation with me by saying: “I’m thinking about doing…” instead of: “I’ve gone and purchased…”
My advice to all CISOs and CIOs is: start building the business-facing value-creation capabilities of your security team. You can do that through business partnering or creating a consultative capability, but certainly get your function out of the basement silo and into the business as soon as you can.
See the other articles in this CISO Interview Series on Business Value of Security:
• The role of metrics in showing the business value of security
• The leadership skills CISOs need to demonstrate the business value of security
• In 2020, developing strong cyber security capabilities that are aligned with business outcomes will be key to your success. Find out how: Download this free Forrester Research Report.
Our website uses cookies for analytical purposes and to give you the best possible experience.
Click on Accept to agree or Preferences to view and choose your cookie settings.