Like all business leaders, chief information security officers (CISOs) are faced with the challenge of demonstrating a return on investment (ROI) for the budget they are allocated each year. This challenge is a struggle for many CISOs attempting to monetize cost savings and investments to compare investments made across the organization, dollar‑for‑dollar.
Even in a best-case scenario, this approach has a very high likelihood of failure — and backfiring at worst. Risk management programs are not normally designed to generate revenue; therefore, the only dollar figures they present are the associated costs of the program, and costs alone will not win the ROI challenge.
It is possible, however, for CISOs to demonstrate the ROI of a risk management program in ways other than revenue dollars. The secret to such a demonstration is to articulate the key risks your program is addressing in light of the business drivers being protected.
When a CISO effectively describes a program’s impact on those same business drivers, that is when the cumulative ROI of revenue generators becomes clear.
By utilizing a three-step process — selecting a framework to set the foundation for a program’s structure, creating a risk profile, and identifying mitigating controls for key risks — CISOs will have the tools necessary to present ROI information of a risk management program that meets the needs of the organization and meshes with existing revenue streams.