Page 20 - Cyber Warnings
P. 20
understand the value of proposed security programs and the importance of resourcing them.
In security, the biggest benefit will always be reduced risk; “buy this tool (or hire this person) and
bad things are less likely to happen.”
Unfortunately, this argument is highly theoretical, which doesn’t translate easily into a business
case.
It’s also likely that the same argument has been used for previous security procurements and
consequently leads to a debate around the likelihood of data being stolen – a risky game to
play.
Instead of trying to estimate the level of risk a company has in terms of security and how likely
an attack may be, it’s arguably much more important to analyze the time and/or people a new
tool might save and how much more efficient it could make an organization.
Some key questions would be:
- Can it automate tedious day-to-day activities?
- Can it reduce requirements for highly skilled, difficult to hire security personnel?
o Will it let tier 1 analysts do the tasks of a tier 2 analyst?
o Will it allow tier 3 analysts to do the work of an incident responder?
- Does it reduce the time it takes to resolve a threat?
- Will it help consolidate the security stack e.g., reduce the number of agents operating on
endpoints or the number of network security appliances in your rack?
o Will it reduce the requirements to integrate multiple security devices?
o Will it reduce the number of screens that monitoring personnel have to focus on?
- Can it improve the speed and accuracy of a company’s incident response?
To the CFO, this approach presents clear opportunities to save critical funds and enhance the
ROI of security solutions.
At the same time, you are reducing the risk to the enterprise of a breach which is a primary
focus of the Board of Directors.
For any organization it is almost impossible to put a prediction on how much a cyber breach
could cost as it isn’t only a case of compensating victims and the loss of business revenue, but
also damaged reputation.
No one is expecting a CFO or the Board to write a blank check for security, which is why
explaining the savings an enterprise can make in terms of a more efficient security team, lower
hardware costs, and minimized risk, is paramount to understanding its value.
20 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
