The business value of security: delivering the return on investment

CISO INTERVIEW SERIES — August 2019

Once seen as a barrier to innovation, chief information security officers (CISOs) are increasingly showing how they can help their organizations to achieve strategic goals. As part of our interview series with leading CISOs on how they not only ensure security but also prove its commercial value, we focus on business impact and ROI. Other interviews in the series explore the critical role of security metrics and CISO leadership skills in showing business value.

Featured CISOs:

• Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications

• Becky Pinkard, CISO, Aldermore Bank

• Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group.

How can CISOs demonstrate the business impact of their strategies?

Brian Hintze: This is interesting question, because on the surface our impact as security heads is often perceived as negative. Security is a cost of doing business, so the function is not generally seen as an enabler. By implementing certain controls I may actually be causing some heartache, making it a bit harder for the business to accomplish its goals. It’s certainly hard to demonstrate the positive impact in some cases.

On the other hand, at least every week I’ll receive a request for proposal from a potential customer or a security questionnaire from an existing customer wanting to understand how we’re protecting their data and our network connections to them. If we can’t meet their requirements, we may lose that business.

Becky Pinkard, CISO, Aldermore

Becky Pinkard: Identifying, highlighting and mitigating risks aligned with the business’s objectives is the best way to show our impact. The next question is: are quantitative or qualitative metrics better? The answer is that it depends on the business, the tools and capabilities you have and your ability to produce the necessary information as required. You don’t want to end up with a beautiful set of quantifiable metrics that take hours and hours to update each month, for example.

Paul Watts: The short answer is: don’t talk about impact purely in the context of risk reduction and compliance. A CISO can’t run an effective strategy without demonstrating its relationship to business outcomes, be they tactical or strategic. To appreciate security as a business-enabling capability, boards need to recognize the benefits of a security strategy from several angles.

Taking finance as the most obvious angle, a strategy of cost control and revenue growth would translate to a security strategy that delivers cost reductions (or at least good cost control) while controlling risks effectively.

A positive impact from the perspective of consumers would be the ability to show them how the business continues to protect their interests while innovating and minimizing friction in the customer journey, which is particularly important in ecommerce and retail. You’d use customer satisfaction, retention and revenue generation as the measures.

The same can be said in the case of your internal ‘customers.’ You need to show them how processes can be further protected, balanced against friction and complexity, through continuous improvement and effective collaboration with the business. This is becoming more and more critical in order for CISOs to demonstrate the benefits of their function.

Does the ability to show the business impact of data security influence the backing that CISOs receive from their boards?

Brian Hintze, director of cybersecurity and network management, Fujitsu Network Communications

Brian Hintze: I think it does. I’ve been fortunate to have really good support at the executive level because our CISO does an outstanding job of building relationships with our business leaders. I have to be cautious about the projects that I’m bringing forward, of course, because I don’t want to be the one who’s always saying: “The sky is falling — we’ve got to spend all this money.”

I want to be able to demonstrate to the board why a project is needed, what risks we’re trying to avoid and how I’m helping the business to connect to customers and store their data in a way that they will feel is secure. That certainly resonates with our leaders.

Pinkard: It absolutely does influence how much backing CISOs receive. If you can tie your proposed actions — people, process, technology decisions — to risks against business-plan objectives, the battle is almost won.

Watts: Demonstrating value in business terms will resonate much better than pitching a “we need an ISMS risk regulation ISO 27000 blah, blah, blah” story that will have directors snoring into their iPads. Boards relate much better to the approach to measuring the business impact of security.

Is calculating the ROI of security realistic? Do boards expect that?

Hintze: Although I’ve never actually had to calculate an ROI for a security project here, there are certainly some models for doing so. But it’s challenging, because ultimately it comes down to an educated guess — what’s the percentage risk that you are going to have a security breach? Being able to defend such numbers in front of a business leader is alawys tough.

Pinkard: You hear a lot about ROSI (return on security investment) but seldom see it expressed quantitatively. The closest I’ve seen is taking the average industry reported cost per breach, for example, applying that against the cost of a new anti-phishing solution and, after deployment, describing trend lines against inbound volumes.

Watts: There is a shift towards that expectation of calculating ROI. Measuring an empirical ROI for a holistic security program is still rather challenging, but a good place to start for now is the ability to demonstrate that it is helping the business to achieve its goals.

Can CISOs prove that their security programs are enablers rather than barriers?

Hintze: I definitely think so. Many a time we’ve had to connect to a customer who is an IT service provider and do this in a way that meets its requirements. If we can’t provide a secure solution, we won’t be able to meet the customer’s needs and we’ll therefore have problems, be they contractual or reputational.

There’s almost always a solution, but it may take us two or three months to provide it. That’s when it looks as if we’re a barrier. We need to talk to the people involved in projects and be part of the planning, instead of coming in at the end after a contract has been signed and we’ve been backed into a corner.

It’s also important that we can talk to business leaders not only about current projects but also about where the organization is going. What are they trying to accomplish in the future? If I understand what they want to do — where they think the business will be in six, 12, 18 months — I can prepare. That way, when that project comes on board and they sign the agreement with a customer, I’m ready to go. I can make it really quick for us to be able to work with the customer, which in itself can give the business an advantage.

Pinkard: It’s certainly possible to show security is not just a barrier. And you need people in your team who believe that security is an enabler and who can speak in a language that the business understands.

Watts: The best way to prove it is by driving cultural change over the longer term. At the Domino’s Pizza Group I have worked closely with our CIO and leaders in the broader business to promote the ideology of ‘shift left.’ That has entailed moving security to the earliest stage of a project and shedding the ‘accredit and regulate’ persona that the function once had — or the notion of the security team as ‘the fun police,’ as it was once described to me.

Factoring in security at the requirements-elicitation stage (or, even better, the feasibility stage) reduces the drag on projects that’s caused by having to retrofit security. And it makes release and sign-off a formality — involving the least cost, complexity and time.

Paul Watts, CISO (UK & Ireland), Domino’s Pizza Group

It’s crucial that the business can appreciate the value of its relationship with the security function. It’s also crucial for the security function to recognize the value it can offer the business as a consultant, critical friend and value creator in unlocking the potential of security in the cycle of innovation and business development.

I’ve worked hard to squash the perception that security is the “no” function in my business. The most effective CISOs are those who work with the business to identify potential solutions, with pros and cons, enabling it to make informed decisions rather than inhibiting innovation and business development.

When that word spreads, it is amazing how quickly it breaks down traditional barriers to engagement. My life is much easier when someone from the business starts a conversation with me by saying: “I’m thinking about doing…” instead of: “I’ve gone and purchased…”

My advice to all CISOs and CIOs is: start building the business-facing value-creation capabilities of your security team. You can do that through business partnering or creating a consultative capability, but certainly get your function out of the basement silo and into the business as soon as you can.

See the other articles in this CISO Interview Series on Business Value of Security:

• The role of metrics in showing the business value of security

• The leadership skills CISOs need to demonstrate the business value of security

• Download a free report on the Top 10 Cyber Security Predictions for 2019

First published August 2019