How confident are security leaders in their ROI?

Dive Brief:

Only four in 10 security leaders can answer the question, "how secure, or at risk, are we?" according to a Tenable-commissioned Forrester report. The survey collected responses from more than 840 security and business executives in April.
Eighty-five percent of "business-aligned" security leaders say they are able to translate cybersecurity return on investment (ROI) and business performance to their stakeholders. One-quarter of leaders consider themselves more reactive and siloed from their peers.
Business-aligned leaders are nearly five-times more likely to collaborate with stakeholders on cost, performance and risk reductions than more reactive leaders. Business-aligned leaders are also seven-times more likely to automate risk management objectives "to vulnerability prioritization practices," according to the report.

Dive Insight:

Reactive leaders aren't confident in their cybersecurity tool reservoir: the technology, processes and data used to identify and remediate risk. Their business-aligned counterparts believe they're highly equipped.

The discrepancy between security leaders can define a security program, resilience of a company, and whether or not the business and security are aligned.

"The root of this misalignment lies in the lack of common language for risk used throughout the organization," said Nathan Wenzler, chief security strategist at Tenable.

Articulating risk management to a non-technical board is an uphill battle for CISOs.

Heat maps, inadequately articulating risk and severity, aren't going to cut it anymore; they fail to give stakeholders the confidence they need to make an actionable decision. Assigning a dollar amount to risk is another nearly impossible task, especially when there are some risks companies can "enjoy."

"Treating security as a risk function instead of just a technology function elevates and evolves cybersecurity into being a core part of the business risk strategy," said Wenzler.

Traditional cybersecurity metrics are technical and are accommodating to non-technical stakeholders. The metrics boards look for, including financial risk, reputation damage, regulatory infringements, are often forgotten by security teams, according to Wenzler.

The board wants to know:

How the digital infrastructure is defended
If the people who are authorized to take risk are also able to mitigate it
If all tools were used to their full capacity or if more are needed

But risk is widespread throughout a business. Cyber risks can set companies up for expansion in new markets while digital business risks are more focused on process, products and services. What risk management presentations might fail to recognize is associated risk between the two.

To measure their ROI metrics, security leaders rely on mean time to detect, mean time to resolve and how many vulnerabilities were remediated monthly. When speaking with stakeholders, security leaders could use benchmarking to "communicate the organization's overall security performance relative to peers," said Wenzler.

Business-aligned leaders are more likely to use benchmarking, and 86% use processes that demonstrate "continuous process improvement relative to peer companies and/or internal groups," according to the report.