Proving ROI and Gaining Executive Buy-in (Data Driven Decision Making Series)

Written By Denson Todd, Director Cyber Risk Services

November 30, 2016

In my first post in this series, I discussed why it is so important to move away from compliance and/or regulatory intuition and media-based decision making for how we understand and address risk in our companies. For the second post of the series, I will be covering the challenges and benefits of adopting a data-driven decision making model for Cyber Risk Management. I’m talking about the age-old goals of Return on Investment and executive by-in. I’ll argue that both go hand-in-hand; for if you have executive buy-in, it is much easier to show an acceptable RoI. If you can demonstrate a favorable RoI, then you may be that much closer to the elusive executive buy-in.

The challenge in showing a return on investment in Cyber Risk Management decision-making means having a definitive understanding of where you started and where you intend to end up. I know we all have done this exercise before and, to be blunt, in my experience it has been one of “creative” thinking and presentation. It is all too often colored by a vendor’s assurances that all will be solved in the end. I will never claim that you will be able to know everything and understand how everything fits together in your company. In fact, I think that is an impossible expectation as there are far too many business groups, systems, process, and controls throughout today’s companies that I would be hesitant that anyone has a complete understanding of their company’s security posture and risk.

While we may not know every tree in our clients’ forests (for reasons stated above), I wholly expect that we can understand the forest itself as a single ecosystem. And more than just understanding overall business risk, we can present it, model it and, dare I say, make informed decisions that affect the health of the whole company and not just its individual parts.

Now, we are about to have a cliché industry moment to further our point. I have been thinking about different analogies for this series and I feel compelled by an inner geek to take one from Star Wars. Forgive me my unabashed cliché . . .

You have an obviously shaken senior Imperial officer who has been asked to give a briefing on the Death Star’s (1st one) security status. The young officer’s data set here is the Death Star’s engineering information (Assets), Rebel Intelligence (Threats), the Death Star’s defenses (Control Effectiveness), and cost to the Empire should the Rebels exploit a weakness in the Death Star (Impact). Of course the Imperial leadership is hardly listening as they are already certain in the impregnability of their Base. However, our young officer has to reveal one very big weakness and do so in a way that resolves the weakness before it is exploited (yes, a very insightful Imperial officer here). Our officer begins to compellingly lay out the fact that the Death Star has one ultimate weakness in an open exhaust port with a straight chute to the Base’s core reactor (now that is just plain opportunistic). While usually dismissible as highly unlikely, he pushes the fact that not only does the weakness exist but there is also a known rebel threat with the Jedi toolkit already running amuck in the Imperial system and that the probability of a targeted attack is extremely high. Our officer quickly croaks out as Vader raises his hand that this vulnerability can be remediated with 100% control effectiveness; Recommended Action: close the port. Our officer has clearly and quantifiably presented the threat, the impact, and the Empire’s risk after factoring in known controls against the threat. The Empire has all the information they need in order to make a well informed, accurate decision with quantifiable risk reduction and change the course of a galaxy far, far away.

Ok, moment over. That is the sort of data and presentation of risk that drives decisions in a quantifiable way. The most effective security projects are driven from the top down in any organization, although getting executives to put their support behind a project can be difficult. You must be able to illustrate how cyber risk decisions affect the overall security posture of the company, by quantifying Threat, Impact, and Risk. When you can present your case in a manner that is defendable, data-driven and quantifiable, you are that much closer to accomplishing both a quantifiable Return on Investment and securing executive buy-in.