One of the quickest ways for a CISO to earn a promotion is to prove that their security team can deliver revenue gains by protecting customers and strengthening their trust. Any organization’s security posture is core to the customer experiences it delivers. Protecting customers’ identities and data can mean the difference between being in business next year and being gone.
Forrester Research’s Security and Risk Forum 2022 session provided practical, pragmatic advice and insights to security and risk professionals. It challenged them to take control of cybersecurity initiatives, which is a core competency of their businesses.
Two presentations provided insights into how CISOs can deliver more value and advance their careers. One was “Cybersecurity Drives Revenue: How to Win Every Budget Battle” from Jeff Pollard, VP and principal analyst at Forrester. The other was “Communicating Value: A CISO’s Business Acumen Primer” from Chris Gilchrist, also a principal analyst at Forrester.
CISOs need to flex their growing influence
How trusted and proven a given enterprise’s security posture is affects its revenue and deal pipeline. How close is an enterprise to achieving its zero-trust initiatives, including Multi-Factor Authentication (MFA), Identity Access Management (IAM) and Privileged Access Management (PAM)? The answer will determine if it will qualify for cyber insurance and what the premiums will be.
- Advertisement -
And a company must show enterprise buyers that cyber insurance is in place before it will qualify for larger sales opportunities and deals, and before buyers will sign a purchase contract and issue their first purchase orders. “When something touches as much revenue as cybersecurity does, it is a core competency. And you can’t argue that it isn’t,” Pollard said during his presentation on how cybersecurity drives revenue.
CISOs need to flex their growing influence and prove they and their teams can be counted on to help drive revenue. A great way to do that is by focusing their teams on how investments in cybersecurity protect and grow customer trust. “This means that security is now a driver of corporate strategy rather than buried as an operational line item only to be managed and measured as a cost. In other words, security now has the latitude to defend and drive growth,” said Gilchrist.
“I’m seeing more and more CISOs joining boards. I think this is a great opportunity for everyone here [at Fal.Con] to understand what impact they can have on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey — to keep business resilient and secure,” George Kurtz, co-founder and CEO of CrowdStrike, said during his keynote at his company’s annual event.
He continued, “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.”
As cybersecurity is a cost of doing business, CISOs’ roles are now strategic and can turn into board-level positions. CISOs who excel at leading their teams in delivering revenue gains are key to helping boards of directors understand how technology reduces enterprise-wide risk. “While CISOs need to continue working on translating technology and technical risk into business risk, and be able to better deliver that risk story to their board, on the other side of the aisle, we need the board to be able to understand the true implication of cyber risk on the ultimate shareholder value and business goals,” said Lucia Milica, global resident CISO at Proofpoint.
Proofpoint’s recent report, Cybersecurity: The 2022 Board Perspective, found that 73% of boards have at least one member with cybersecurity experience. In addition, most board members (77%) believe cybersecurity is a top priority for their board itself. Thus, “the role of the CISO is evolving from technical specialist to the business executive who can understand where business value is coming from and articulate to the board how to protect it,” said Betsy Wille, director of The Cybersecurity Studio and former CISO at Abbott.
How CISOs can drive revenue gains
A few critical areas CISOs and their teams need to concentrate on to drive revenue include: identifying how cybersecurity practices affect deal flows; reducing barriers to entry into new markets by meeting regulatory requirements; and reducing breach costs. Jeff Pollard’s presentation proposed a four-step approach to identifying the revenue impact of security spending.
- Identify requirements for security controls.
- Quantify the overall current contract value and lifetime customer value.
- Link spending allocations for all controls that satisfy those requirements.
- Then, total each of those items separately as reasons for security spending allocations.
One major benefit of following this framework is that it quantifies the value of reducing customer risks. In addition, CISOs attending board meetings with quantified risk assessments are speaking board members’ language. That’s a great career strategy for earning visibility and promotion.
The Forrester methodology’s goal is to determine how much a specific security investment costs per customer, and how much revenue that specific customer segment generates. In essence, the methodology looks at the return on security investment while also quantifying what is at stake if the customer base is unprotected.
Knowing how many customers rely on an organization to protect their identities by using privileged identity management (PIM), and how much revenue those customers contribute, helps determine what percentage of the security budget needs to be spent on PIM. “We spend Z; they’re responsible for Y revenue. You can also tabulate the revenue that’s at stake if you got rid of that control … if you didn’t have the budget to renew that control, to renew licensing … to support it,” Pollard explained during his presentation.
For example, assume 330 customers require enterprise-grade PIM to protect their identities, at an annual cost of $250,000. The cost per customer is $757.58. The analysis then takes the total annual revenue of the customers needing PIM and divides it by the costs of implementing a PIM system, resulting in the costs per revenue of security coverage for the customer base. Thus Forrester’s analysis also delivers value to CISOs by helping them quantify the risk to revenue of not protecting customers adequately.
CISOs can use this analysis to protect their budgets by asking if it’s worth putting millions of dollars in revenue at risk by not spending the $250,000 to protect it. Expanding this across all line items in a budget gives a CISO significant bargaining power in negotiations with a CFO and board. It also provides a consolidated financial view of the cost of risks if budgets are cut. Also, for CISOs interested in advancing their careers, risk quantification is what boards of directors focus on today.
CISOs need to be bold about delivering value
CISOs face a number of challenges, including consolidating their tech stacks, getting more done with fewer people thanks to a chronic security labor shortage, and continuing pressure to cut budgets. Therefore they need a methodology to defend their budgets. As security budgets go, so go the careers of entire departments.
Showing how security drives revenue and knowing how to quantify risk is a valuable skill for CISOs and their teams to develop. Boards of directors think and talk in these terms. So CISOs who develop them as a skill set early on will boost their careers and may eventually earn a promotion and a role on the board of directors.