In a recent assessment by Jeff Williams, CTO at Contrast Security, it has been brought to light that security leaders may be missing the mark when it comes to pitching the return on investment (ROI) from cyber resilience investments. Instead of focusing solely on financial impacts to showcase the value of security investments, Williams suggests a shift in strategy.
Many security leaders typically attempt to calculate the costs of potential breaches to demonstrate the importance of investing in security measures. However, the figures they come up with are often so exorbitant that they fail to resonate with business leaders and boards. According to Williams, this approach tends to result in a lack of engagement from top-level management. Rather than fixating on financial figures, Williams recommends aligning security initiatives with legal requirements, such as the new EU Product Liability Directive that imposes liability for software defects, including security vulnerabilities. By emphasizing factors like cost-savings and the acceleration of software development and innovation, security leaders can potentially garner more support from stakeholders.
Williams also stresses the significance of incorporating both data and narratives in security presentations. While data such as policy metrics, vulnerability rates, and downtime statistics are crucial, Williams suggests complementing these with real-life stories that resonate with audiences. By humanizing the data and showcasing its relevance through compelling narratives, security leaders can effectively build support for their initiatives.
Moreover, Lenguito from BforeAI underscores the importance of maintaining customer trust and complying with legal and regulatory requirements. Highlighting the potential brand impact and reputation costs associated with cyberattacks, Lenguito emphasizes that even cyber insurance may not fully mitigate the loss of brand value resulting from a security breach.
Overall, the key takeaway from these insights is that security leaders need to adopt a multifaceted approach when communicating the value of cybersecurity investments. By framing the discussion around legal requirements, innovation, customer trust, and brand reputation, security leaders can effectively engage with business leaders and boards, ultimately fostering a culture of security within organizations. Emphasizing these aspects can help elevate the importance of cybersecurity from a mere financial consideration to a strategic imperative for businesses in today’s digital landscape.