How Do Modern CISOs Prove Their Value? Focus on ROI

To be effective, modern chief information security officers need to demonstrate their contribution to the bottom line.

Andrew Smeaton , Chief Information Security Officer, Afiniti

May 9, 2023

4 Min Read
Wooden cubes with ROI Return on Investment symbol on background
Panther Media GmbH via Alamy Stock

In the past, a CISO’s role was primarily about ensuring IT security. For today’s CISO, effective security means helping the business achieve its goals, as well as protecting it from risk. Here are four ways you can demonstrate the value you bring to your organization.

1. Communicate the value of data security

The American bank robber Willie Sutton once said: “I rob banks because that's where the money is.” Today, the money is in data and attackers know this. In fact, the World Economic Forum recently found the cost of cybercrime will amount to $10 trillion by 2025.

As a CISO, it is your role to inform senior leaders of the value of the data your organization holds. That means communicating the cost of any reputational damage arising from a security breach, not to mention the risk of fines or lawsuits from having holes in your data security.

In a mature organization, the Board will balance a business’s potential security threats and risks with the likely rewards. CISOs should be at the heart of this process, advising the business so the Board can make informed decisions on how to navigate the risk. While risk mitigation is critical, CISOs will also benefit from positioning security as a business enabler, whereby empowering sales, customer success and product teams with knowledge around the business’s robust security practices can build trust with customers.

Amid the growing number of cyber threats, it is vital your leaders understand the role a strong data privacy program plays in retaining and even driving revenue.

2. Frame your budget needs effectively

Every CISO knows that strong security tools and programs are worth investing in; the risks of not doing so are too big to consider. But presenting a shopping list won’t get you anywhere. The most effective way of building a healthy security budget is to help people understand how it will be allocated -- and how proper resourcing benefits the bottom line.

One way is to present the budget through three lenses. What parts of the budget will be dedicated to simply running the business? What will go toward plugging significant gaps in the security infrastructure? Finally, how much will address higher costs stemming from increased usage of a particular technology?

By framing the budget conversation in this way, you will enable leaders to make decisions on budget that align with the overall business strategy.

3. Build trust with customers through proactive conversations

As we are seeing in recent cyber attacks, hackers are increasingly using third parties as a way to bypass an organization’s security systems.

The success of these attacks highlights the need to identify and eliminate any vulnerabilities in your own supply chain. You should be continually monitoring the security of all your third-party vendors, including any software libraries you use.

But from a vendor’s point of view, the increased threat of a major attack presents an opportunity. If you have a strong security program in place, that is something you should be proud of, and should actively advertise to your customers.

A proactive CISO will meet with their organization’s clients at least once or twice a year. During these meetings, you should be able to show them what a robust security infrastructure looks like. These conversations are also an opportunity to go beyond demonstrating you have your own house in order. You can also use them to add value to a client’s business by advising them on what you have picked up as possible security improvements from partnering closely with them.

Allocating time and budget to build customer trust in this way and your data security program can become a revenue driver for your organization. It will create a path for success for sales teams and ultimately drive revenue, which is especially important in today’s uncertain economy.

4. Create a culture of security throughout the organization

A robust security program requires a culture where everyone, from the top down, is empowered to actively secure the organization -- particularly as more companies move to remote-first working, and to multiple cloud environments.

What does a culture of security look like? It means that, in a few critical moments throughout the day, every employee thinks about their role in protecting security. For example, an employee working at a café should take the few seconds required to connect via a virtual private network. Ensuring such behavior requires the ongoing education of employees.

You should also be continually assessing your security by regularly simulating attacks. This work can expose weak points in your security and ensure everyone is aware of the processes and protocols to follow should the worst happen.

Building a culture of security will take your organization’s defenses to the next level. It will help people view security not as a costly, reactive expense, but as a proactive investment in building your organization’s competitive advantage.

About the Author(s)

Andrew Smeaton

Chief Information Security Officer, Afiniti

Andrew Smeaton is Chief Information Security Officer at Afiniti. In this role, he is responsible for maintaining and maturing Afiniti's information security program. Prior to joining Afiniti in 2022, he served as Chief Information Security Officer of DataRobot, where he built and led the global security team. He received the 2022 (ISC)² Global Achievement CEO Award for his contributions to the cybersecurity community.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights