Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Do I Demonstrate the ROI of My Security Program?

Security teams must shift away from saying no, align security initiatives to business goals, and report metrics in a way business leaders can understand.

Neal Bridges, CISO, Query.AI

March 25, 2022

3 Min Read
Speaker presenting data chart to an audience.
Source: Rawpixel.com via Shutterstock

Question: How do I demonstrate the ROI of my security program?

Neal Bridges, CISO at Query.AI: When demonstrating the ROI of security programs, there are three things security teams must do.

The first is to change the perception of security’s role as the “office of NO.” Security programs need to embrace that their role is to ENABLE the business to take RISKS, and not to eliminate risks. For example, if a company needs to set up operations in a high-risk country, with risky cyber laws or operators, the knee jerk reaction of most security teams is to say “no.” In reality, the job of the security team is to enable the company to take that risk by building sound security programs that can identify, detect, and respond to cybersecurity threats. When company leaders see security teams trying to help them achieve their business goals, they are better able to see the value of a strong cybersecurity program.

Similarly, cybersecurity teams must understand their company’s business goals and align security initiatives accordingly. Too many security teams try to push their security initiatives as priorities for the business, when, in fact, those initiatives may be business negatives. For example, let’s say the business objective is to increase manufacturing on a line running end-of-life operating software. Some security professionals would increase security controls in an attempt to prevent downtime associated with an attack. But this approach doesn’t increase productivity - in fact, it might have the opposite effect and reduce manufacturing efficacy.

Rather, security teams need to take a step back and evaluate HOW they can put a security strategy in place that does increase productivity on the manufacturing line. A more business-centric approach would be doing things like building better identification and response measures to support business resilience objectives, increasing the fidelity of the alerting to the devices isolating the manufacturing environment, and running more frequent incident response or crisis action exercises to prepare for a manufacturing cyberattack. Understanding what the CEO and CFO find to be the biggest business drivers and aligning your cybersecurity strategies to those drivers will ultimately correlate to a perception that cyber is tied to profitable business objectives, thus increasing the ROI of cyber expenditure.

Last but not least, cyber teams must figure out how to report on their metrics in a way that business leaders can understand. An example of this is a security team reporting on how many cyberattacks the company has seen stemming from a risky country they do business in. If a business is profitable, the executive team may not see an immediate impact to the potentially thousands of cyberattacks they’re reporting on. However, if the security team slightly evolves their metrics to demonstrate how much time was spent responding to phishing in that particular region, how many laptops they had to reimage because of USB malware every month, or the amount of downtime a production line had because of an end-of-life operating system, they can directly tie these cybersecurity issues to lost revenue in risky situations. And, this knowledge is what business leaders need to better understand security risks, their potential impact on the business, and security’s role in keeping the organization safe.

About the Author

Neal Bridges

CISO, Query.AI

Neal brings more than two decades of cybersecurity experience to his role as chief information security officer for Query.AI, where he is responsible for leading the company’s security strategy and operations, and guiding product development efforts to help customers achieve their desired security outcomes. Throughout his career, Neal has helped federal and commercial organizations develop and execute cybersecurity strategies, and has built teams at multiple Fortune 100 companies. He’s also successfully led go-to-market strategies and spearheaded multi-million-dollar merger and acquisition activity to achieve company growth objectives. Neal is the founder of Cyber Insecurity podcast where he discusses the latest cyber news and trends, and gives career advice to listeners who are new to the cybersecurity industry. In his spare time, Neal enjoys going off-roading in his Jeep, and researching how Web3 is going to change the way we use the internet.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights