Justifying security costs by quantifying protection results

by | May 1, 2023

How many times have we heard a CISO say: “I don’t have enough money for security”. But, what is the right amount of money for security? How is it determined? Who makes that decision?

The cost, and budget challenges, of a security program is a fascinating study. We know CISOs didn’t create the business. They are not responsible for its design or scale of operations. They are merely the mitigation agents of security risk. Yet, somehow, the CISO has taken the heat for the costs of the security program.

Why? In large part, the CISO has lacked the language, data and the tools to strongly link the costs of a security program to specific protection expectations or to show actual protection results.

Today, most security programs are calibrated around ‘maturity’ toward compliance to a security framework; or a subjective ‘expert’ opinion of security capability. Unfortunately, neither of these current approaches leave business executives in a confident or justified position. Why? Because they do not enable the CISO to robustly answer key questions:

  1. Who can and cannot breach a crown jewel?
  2. Is this level of protection reasonable?
  3. What cost did we achieve this for?
  4. Is that cost reasonable?
  5. Can we evidence all of this for external challengers?
  6. These are the types of questions that business executives and Boards want answered.

In order to answer these questions, the CISO needs an enhanced data set. We need a foundational set of quantifiable terms that strongly influence costs and results of a security program. Unfortunately, these variables are currently absent, incomplete, or unconnected in existing security frameworks.

In project management there is a foundational concept called the Quality Triangle. It illustrates a set of competing objectives vying for limited resources. In this example, it shows four variable objectives that will influence each other. Adding to one will take away from at least one of the others. It’s a competitive give-and-take, or increase in costs.

Similarly, there is a set of variables that most directly influence the costs of a security program.

Quality: What level of threat sophistication can security successfully protect against?

Threat actors aren’t equal. We know some are more sophisticated than others. The more advanced the threat actor, the more access to methods and assets they have. It’s also intuitive that it will cost more to counter more advanced threats.

Quantity: How broad is the scope and coverage of protection?

Security teams apply ‘security controls’ to business assets of varying types (e.g. data, devices, applications, networks, people, facilities, vendors). It’s intuitive that it will cost more to protect more.

Pace: How quickly can you achieve protection targets?

Security operations leverage expensive resources: people, technology, vendors, and even property. It’s usually the case that if we want something done faster, we need to apply more resources, sooner, to get that result. Not only are we spending money sooner, you often have to pay more to get access to those resources sooner.

Efficiency: Are our operations and resources optimized?

We all learned in school that efficient operations can lead to less waste and economy in scale; gaining more results from equal spend. But what happens in security isn’t so neat and clean. Security controls aren’t just “set it and forget it”. They’re developed and maintained, updated and operated. Unfortunately, there is usually considerable duplication of effort, and missed opportunities to gain efficiencies of scale. Most frustratingly, is the failure to best leverage people, technology, and vendor resources.

To strengthen their perception and position with business executives, CISOs need to lead them by asking better questions and providing robust answers.

Success is based on setting clear expectations, then showing results to expectations.

What does your business leadership expect of security and why is that?

You must establish expectations on common ground — a shared context that bridges the ‘security world’ to the ‘executive business world’.

The CISO’s job is to maintain a current, credible, and easy to understand statement of ‘risk from security breach’ (i.e. ‘what type of threat can impact which valuable assets’’) and mitigation options to control that to varying degrees. These mitigation options give business executives cost options thereby enabling business executives to choose, in simple terms, their risk appetite.

A CISO that is aligned with the business and applies strategic and calibrated mitigation plans says things like, ‘‘This is what can be reasonably expected with current investment.” and “With different levels of investment this is what is reasonable to expect.”

The variables introduced above provide the foundations to justify the costs of any security program by quantifying protection expectations, and establishing the business’ risk appetite.