Cyber Risk Advisory

Corporate demand for cybersecurity ROI drives CISO metrics

December 13, 2022
Blog Images 2022 CISO metrics tile

Increasing cyber risks and decreasing budgets mean that C-suites and boards are demanding better cyber performance metrics and reporting from security teams.

Key takeaways

  • In addition to expanding attack surface and lack of good governance, security executives’ top cloud migration challenge is management pressure from above to translate cyber metrics into bottom-line ROI
  • Increasing cyber risks and decreasing budgets mean that C-suites and boards are demanding better cyber performance metrics and reporting from security teams
  • National Association of Corporate Directors (NACD) updated their guidance, setting bylaws for board governance and reporting metrics for cybersecurity

Coalfire and Dark Reading conducted a survey recently and the full report on the State of CISO Influence will be published in January. The survey found that some of security executives’ top cloud migration challenges are:

  • An expanding attack surface,
  • Lack of good governance strategy
  • Management pressure from above to translate cyber metrics into bottom-line ROI

With increasing risks and decreasing budgets, C-suites and boards are taking notice, and now demand better cyber performance reporting from security teams.

Accountability for ROI comes from security metrics

Security leader feedback indicates that the antiquated “sky-is-falling/spend-more” approach isn’t cutting it anymore. In the last year alone, CISOs reported a significant uptick in whether they provide monthly reports to the board. This improvement indicates an improved ability to connect cyber resource allocations to mission-critical business objectives. Two-thirds of security leaders surveyed are now making monthly presentations to the highest levels of enterprise authority.

At Coalfire, we talk to clients every day and have been hearing about increasing, top-down pressure for years. But this year’s significant jump confirms the irreversible trend toward more responsible cyber spending and cost management across all industrial sectors, and for businesses of all sizes. During the last two years and complementary to our survey research, the National Association of Corporate Directors (NACD) has stepped up its published guidance, setting bylaws for board governance and reporting metrics. This helps establish standards for more active oversight, which in turn helps to ensure more reliable Return on Security Investment (ROSI). It all serves to provide CISOs visibility and the framework they need to rationalize their security programs based on fundamental business principles.

ROSI – not FUD (Fear, Uncertainty and Doubt) – is now setting the tone for security leadership’s actions. Ten years ago, FUD ruled the day, and we were playing defense. Cyber managers had the tendency to put a lot of people on the field and write checks for myriad tools, software licenses, seats, insurance policies, etc. But as the market expanded, FUD started to lose momentum to the point where the “chicken little” mentality no longer dominates security strategy or purchasing patterns.

Cyber strategy in a bullish economy

With more downward economic pressure this year, we need a different gameplan with the understanding that merely throwing resources at cyber is no longer going to solve the problem of decreasing budgets converging with attack surface expansion.

Essential dimensions for cyber strategic planning were revealed in three key takeaways from the research:

Strengthen relationships – CISOs continue to expand their sphere of influence. They are driving collaborations with officers, directors, and department heads, and are having more of an impact on planning and budgeting decisions across the org chart.

  • More than 3/4 of security leaders say they are consulted either early in project development when business objectives are identified, or at least well before a project goes live.

Advance the security control landscape – CISOs are focusing on optimizing security posture by adopting new strategies and tools to manage the interdependence of people, processes, and technologies. They communicate more effectively with all audiences using relevant metrics that help everyone understand security decisions and outcomes.

  • More than half of CISOs present security metrics to their CEOs, a steady increase from 2021.

Navigate cloud migration – With the combination of cloud migration and stricter compliance requirements, CISOs must do much more with far fewer resources. But there are some cyber silver linings behind the clouds.

  • Nearly a third of CISOs report achieving efficiencies through dedicated environments for different cloud compliance frameworks.

CISOs help determine corporate investment in security

Our report confirms that CISOs are increasingly assuming responsibilities that position them as business leaders in addition to being technology experts. This means they need to manage a business unit with responsible resource allocation, strategic planning, and execution against KPIs.

Most traditional C-suite positions have management oversight experience, while most CISOs have come up through the technology ranks with engineering backgrounds. Historically, CISOs have always wanted to report to the highest levels possible within their organizations, but often find themselves out over their skis on the basic business disciplines.

One of the best ways to get started on the right foot is to always ask up front:

  1. “What’s the business case for security?”
  2. “How much security do we need to reach the desired objective?”
  3. “How much time and how many resources do we need to invest into our security?”

This means enabling those with approval power the ability to analyze both technical and financial factors in assessing the economic impact of expected outcomes for each project.

Linking cybersecurity posture to brand safety and reputation

CISOs in our survey are at the top of their field, but not necessarily well-trained in rationalizing security program investment to the CFO or budget committee. Some are gaining career traction by migrating from CISO to the new title of Chief Trust and Risk Officer. The CTRO oversees not only security posture, but also takes on the responsibilities associated with reputation management, brand safety, and the endless quest to earn and sustain customer trust.

For cloud-driven policy and cultural shifts to evolve effectively, security requires audience and influence at the highest levels. Be prepared with a “ROSI outlook,” and be careful what you ask for in the march toward business-aligned cybersecurity. Full report coming in January 2023.