Ask the Expert: How can we demonstrate the return on investment of our cyber security measures?
Kirk Hogan, Chief Innovation Officer at Iceberg Networks answers more of the top questions we’re hearing from organizations about cyber risk and security operations.
Kirk discusses how organizations can demonstrate return on investment (ROI) on their cyber security measures and his top piece of advice for organizations who want to mature their cyber risk management program. The following in an edited transcript of the conversation.
Q: How do we demonstrate the return on investment of our cyber security measures?
A: Whenever I think about measuring, I break it into two camps, qualitative and quantitative. There really is almost a third camp and that is semi-quantitative because even though we ask people for a number, it’s still a subjective or a qualitative answer.
If we focus on qualitative and quantitative, the trick is to take a baseline before we do anything. How are we doing things today? How long does it take? How many people do we take? How do we prioritize? Identify those things that you will measure at the beginning. Then after one cycle of operation, we want to take those same measurements again because what you’ll be able to do is identify a return on your investment, not to overuse that term, but it will show you where you’re actually achieving more effectiveness or more efficiencies.
A qualitative measure might be something like the ability to understand whether our new process is being supported through adoption. You could measure that through a poll or a survey, it is a subjective rating because someone says whether they’re adopting or not.
A quantitative measure might be the number of outstanding critical issues over the last thirty days or over a three-month span. The simple count of the outstanding issues by month or within a quarter would illustrate whether the program is improving or whether it’s degrading.
My favourite return on investment example would be the reduction of our number one competitor in most businesses, and that’s Excel. Not to beat on Excel, it’s a great tool, but if you were to measure the number of Excel workbooks that are actually used for decision support before and after we implement some sort of digital transformation, you could demonstrate the yield of reduction of time, improvement of effectiveness, etc.
Focusing on the right measures is the toughest part. Counting things is not always the best place to start. You need to ask yourself, what are the most critical things that we do or that we have? Then develop questions that could indicate whether you’re above or below this level of comfort. We sometimes refer to that as a tolerance or an appetite.
The direction of measurement is also important, so between intervals, is that measurement going up or down? Sometimes up is good if you’re looking at things like availability. Down is good if you’re thinking about critical vulnerabilities on critical assets.
Q: If you could give one key piece of advice to an organization who wants to transform/mature their Cyber Risk program, what would it be?
A: I’ll give you two pieces, one’s free. The first one is to select three priorities and focus. Focus until they are generating a minimum level of return on investment (ROI). Set some outcomes, measure those outcomes, deliver on those outcomes. When you achieve that minimum ROI, then move on to new priorities. What you will find is that you’ve gained momentum, you’re showing results and the buy-in from the other parts of the business to see that you have a way to effectively and predictably get those kind of results, you’ll actually have a lot of people jump on the bandwagon.
My second piece of advice is to build models, patterns, things that work. Start off small and prove that they work because then you can scale them both vertically and horizontally.