Business Problems We Solve: Proving That Cybersecurity Works And Is Worth The Investment

 

The easiest question an investor or manager can ask is, what will be our return on investment?

A prudent investor should always be knowledgeable about risks and costs. If you only look at the "upside" you will miss how that "upside" comes with a cost that may be substantial. 

So it is with cybersecurity.

Suppose for example that your cybersecurity team has "proved" that your organization has enough cybersecurity because it subscribes to a cybersecurity service. Well done. That is in fact proof that...your organization subscribes to a cybersecurity service. A prudent investor or manager should ask, How does that align to our growth projections, our values, or our user needs? How does it mitigate against upcoming threats?

There's nothing wrong about subscribing to a cybersecurity service. It's certainly better than doing nothing. The problem is that most investors or managers see this as a box-check compliance issue: cybersecurity subscription is cybersecurity ROI.

A much better question is, how will you prove your cybersecurity program's ROI?

In a wonderful new book, Proof, reviewed by the always-on-target Jennifer Szalai, the nature of proof is questioned. Here is a key quotation from the review: 

"Kucharski [the book's author], a mathematically trained epidemiologist, says that the rigor and purity of mathematics has imbued it with extraordinary rhetorical power. 'In an uncertain world, it is reassuring to think there is at least one field that can provide definitive answers,' he writes. Yet he adds that certainty can sometimes be an illusion. 'Even mathematical notions of proof' are 'not always as robust and politics-free as they might seem.' ”

We at Pythia humbly suggest that cybersecurity is not a subscription or a box-check. Instead it is an effective leadership practice. Cybersecurity is fundamentally behavioral. Disagree? Answer this: If cybersecurity subscriptions are so effective, why do spam attacks or ransomware still work?

In brief, you prove that cybersecurity works by adopting the best system, adding governance, auditing the system, anticipating the changing threat environment, and adopting cybersecurity as a performance management element. Period.

If you do not think that keeping your organization from being disrupted, as power outages recently did to Heathrow Airport and Spain, is worth the investment, then your "ROI" will be disruption, loss of function, and reputation ruin.

The "upside" of cybersecurity subscriptions without the behavioral components is vanishingly small. You know this. 

Szalai later says in her review: "Needless to say, proving what is 'obvious and simple' isn’t always easy." Adopting the threat mitigation practices outlined in this post is obviously better because you can show that it works for you. You know this.

In summary, you can prove something if you can verify it. Verification is your ROI. QED.

Ask us how Pythia Cyber can work with you to define what cybersecurity investment is best for your situation to create provable cybersecurity ROI.