Optimizing your Return on Assessment (ROA)
How to use Cybersecurity Assessments to prioritize security initiatives by value
Out of the blue, I get another unknown meeting request. Sometimes, I know the person. Rarely do they provide an agenda in advance. So I joined the call. There on the screen was a giant Excel document with hundreds of rows. For the next 60 minutes, I found myself answering security maturity questions, guessing, and not knowing what trouble this would get me into. Most of the time, it’s incredibly subjective in how you interpret the question and the maturity level you assign to it.
A month later, a PowerPoint came out about our cybersecurity maturity. It’s not bad or good. It’s just the middle of the road. At the end of the document, there are usually ten or so projects that can be done to improve your security maturity. And wouldn’t you know it, the company who wrote the PowerPoint happens to be a consultancy that can do the work for you…for a price!
Depending on budgets, the team typically selects the top one or two that seem to have the most significant impact or fix a security hole. Most of the time, they just take the top two without even reading the list.
This is where we are flawed. We are selecting the most convenient work. We are selecting the work that the consulting company or assessment team decided was the most important. We are most likely not prioritizing work based on data. In addition, these initiatives are probably not aligned with business outcomes.
We need to do three things to optimize our ROA (Return on Assessment). First, we need to align initiatives to business outcomes. Then we need to calculate each initiative’s ROI (return on investment). Finally, we must involve our stakeholders to help make data-driven prioritization decisions.
Align to Business Outcomes
Once again, we go back to the business vision statement and high-level business outcomes. A vision statement is a concise declaration of what and how an organization will achieve its goals. Not all organizations have a vision statement; some have a mission. Even though a vision and mission are slightly different, a mission statement is equally helpful for declaring what and how an organization will achieve its outcomes. High-level business outcomes are specific results that an organization aspires to achieve. Not all organizations will publish a list of high-level outcomes. We can certainly use high-level goals, strategies, or objectives. What we’re looking for is a set of 2–4 aspirational outcomes that the organization wants to achieve in a defined period of time.
Now that we have all that in the back of our mind, reread the assessment. Draw an invisible line from each project to a business objective. Not all projects will align to a business goal. That’s OK. As we work through the results of an assessment, we’re looking to be able to fill out two pieces of information about each project. First, Does it help the business achieve a business outcome? Second, How much risk does it reduce in terms of probability and impact vs cost?
Calculate ROI (Return on Investment)
The first question most CIOs will ask when you put in another business proposal will be, “What’s my return on investment?” If you pitch a customer-facing application, you might give them measurements in terms of revenue, engagement, referrals, etc. But we are talking about security here. Security does not and will never increase your revenue. It will, however, increase profit!
Security reduces the risk of losing your organization’s total investment. It is your organization’s goal to not only be secure but to make money. Your security team spends capital on five major security capabilities: identifying risk, protecting yourself from potential risk, detecting incidents, responding to incidents, and recovering from incidents. It’s our job to tell the story of how efficiently providing each of these capabilities leads to higher profit.
One year, I was part of a NIST cybersecurity assessment for an enterprise. In the assessment, there was a huge deficiency in our Cloud Security. Specifically, it was missing! Building a new security capability wasn’t the challenge. The challenge was telling the CIO we needed to buy a new security tool and hire someone to monitor it. The first step was identifying the probability of a security event happening and when what it would cost the business. Then it was to show that the total cost of implementing and maintaining Cloud Security as a capability is less than setting aside a pot of money and just paying all the costs of incidents. That pot of money is profit….the less you use, the better. But if you use more than you have, it’s time to close up shop and go home.
Data-Driven Decisions with Stakeholders
Armed with business outcomes and a return on investment, it’s time to bring the business stakeholders in. After all, it’s their money. Cybersecurity provides a protective service for the assets of the organization. We enable the business to make data-driven decisions. Based on the business’s risk threshold, they decide how much they want to invest to reduce risk. This is why business stakeholders really want to know the ROI. They are investing money from profit to protect the remaining profit.
Final Thoughts
Each time you perform an assessment, it’s an opportunity to identify gaps or enhancements that cybersecurity could do. To maximize your return on assessment, security leaders need to be able to identify the right initiative to launch after the assessment.
Prioritizing based on business objectives and ROI is a tool we all need in our belts. As we mature our tools and processes, we must improve how people use data from assessments.
