Cyber Risk Advisory

How the CISO Drives Value Across the Enterprise

Coalfire Advisory Team

August 9, 2023
Blog Images 2023 Coalfire Main Image Blog CISO Drives 800x420 FINAL

Coalfire's Securealities 2023 State of CISO Influence report shows that CISOs have a growing responsibility to report to the board/c-suite. During budget planning, CISOs can drive value and secure budget allocations by demonstrating Return on Security Investment (ROSI).

Key takeaways:

  • CISOs must evaluate and present the Return On Security Investment (ROSI) in terms of security spend and business outcomes.
  • To achieve positive ROI, CISOs should focus resources on the highest risks and showcase security investment impact on risk reduction, compliance, operational efficiencies, and top-line growth.
  • With a deep understanding of investment return and outcomes, organizations can make informed decisions, allocate resources effectively, and drive operational resilience.

In today's increasingly digitized world, organizations are investing significant resources in cybersecurity to protect their assets and mitigate risk. Security is quickly evolving from an operational expense to an appreciating asset, and just like any investment, businesses expect increasing returns. Simply justifying costs is not enough.

As a result, the role of the Chief Information Security Officer is changing dramatically. In the Coalfire/Dark Reading 2023 State of CISO Influence Securealities report, more than half of enterprise CISOs surveyed present security metrics to their boards and C-suite. This is up nearly 15 points from just two years ago, signifying the CISO’s maturing role from cost controller to fiduciary responsible for ROSI.

During this budget planning season, it’s crucial for CISOs to evaluate and present their ROSI yield, both in terms of security spend and desired business outcomes. Though the report data reveals that more than half of the respondents formally demonstrate ROSI to their ELTs, nearly half indicate otherwise.

Like all C-level officers, it’s essential for CISOs to understand the expectations of their organizations regarding investment performance and align their strategies and metrics accordingly. Establishing numeric investment returns plotted against direct expenditures can result in increased authority, autonomy, credibility, and additional budget allocations for security resources.

CISOs can achieve this by setting objectives and showcasing security investment impact on overall risk reduction, incident response capabilities, compliance posture, and operational efficiencies.

The key is to focus resources on the highest risks with the highest potential for ROI. Show corporate leadership the value of investing in state-of-the-art strategy and continuous (not point-in-time) assessments, audits, integrations, deployments, oversight, and reporting.

Communicate your security team’s capabilities, align cyber metrics with business objectives, and explain to the board which risks matter to your organization and why. Tie security outcomes and KPIs to top-line growth, enterprise valuation, and application security that get products to market faster than the competition.

CISOs can solidify their position as trusted leaders by effectively communicating the value, benefit, and optimization of their spend, and making measurement and reporting an ongoing process.

The survey data emphasizes the importance of basing security budget increases on needs identified through annual risk assessments. CISOs should regularly review the effectiveness of their programs, identify areas for improvement, and adapt their strategies accordingly. By continuously evaluating and optimizing security spend, organizations can maximize value and ensure that resources are allocated to the most critical areas.

Effective communication is crucial when discussing ROSI. Regular performance updates, delivered through executive-level dashboards and slide-deck presentations, enhance transparency and help stakeholders understand the value of security investments. CISOs should tailor their communications to each audience, highlighting business impacts and risk reduction aligned with organizational objectives.

Flat budgets and complex compliance requirements are additional challenges CISOs face when moving systems to the cloud and the expanding attack surface. With these headwinds, achieving a positive ROI for security spend is a fundamental objective for organizations seeking to protect their digital assets and minimize cyber risks. As indicated in our report, CISOs play a pivotal role in managing these investments. Executive leadership expectations are on the rise as security teams shift gears into budget planning season.

Boards increasingly rely on data from CISOs to inform their governance and oversight. By setting the right expectations, demonstrating value, considering all influencing factors, continuously improving security strategies, and effectively communicating ROSI, CISOs can establish a strong foundation for security decision-making.

With a comprehensive understanding of investment return expectations and outcomes, organizations can make informed decisions, allocate resources effectively, and drive operational resilience with a best-in-class cybersecurity posture.