PROVE IT!


In this age of commodity IT cybersecurity (cyber) is no longer immune to the C-level challenge to “Prove it!”

Many industries are still making deep spending cuts, and plying customers with “Cyber is ROI” and “Think of it like insurance!” simply doesn’t resonate.

Executives hear “investment” as code for “long time plus big price tag". Despite best efforts, there remains a major disconnect between cyber value and business value.

If you want to compete in the cyber market then the discussion is inevitably a hard dollars and business sense conversation: “Our time to market for mobile apps increased 50% after we deployed a secure app store solution.” Real stories, real metrics, real value.
There are two kinds of companies: those that know they’re compromised and those that don’t.
The imperative today: products and services must work AND must deliver fast. CIOs and CSOs know they will have to have a conversation with their CFOs. As security professionals we need to help them. We must speak their language. The F&A floor is seldom impressed by products that are cool. Even less so if cool can’t demonstrably convey assurance, cost reduction or realized business enablement.

“But we just found a zero day APT!” Not surprised. Breaches are inevitable. This approach, however, is not convincing to the finance director. Anecdotes are good, but they lack tangibility. The new reality is that there are two kinds of companies: those that know they’re compromised and those that don’t.

“So, raise the cost in the kill chain?” Okay, but to what end. Threat identification is a good thing—it’s good to know who’s been living in your house and who’s eating that last slice of pie when all are a slumber. There’s more value if you can estimate marginal benefit (and cost) so we know how much to spend. At some point, there are always diminishing returns for raising that bar. Finance folks understand that. If we want to make our case, we need to be on their page.

Here are a few of leading questions to consider. Your ability to answer questions like this will help demonstrate bona fides:
  1. Did the tool we bought measurably decrease our per incident mitigation costs? 
  2. Did we lower our audit costs because we had evidence-based artifacts? 
  3. Did we increase our up-time during core productivity hours? 
The cost of doing business in the information age is cyber—‘tis a fait accompli'. But the language of business, even in government, is still finance. Numbers get people’s attention, especially executives whose success or failure rides on quarterly statements to their shareholders. Their proof is always in the numbers. As industry professionals, our job is to help make the business case. And if cyber as an industry wants to have a seat at the big table, then we must improve the language we speak.

Written by good friend and colleague Michael Lucero