Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and gain efficiencies by improving and scaling citizen developers. look now.
One of the fastest ways for a CISO to get promoted is to prove that their security team can drive revenue gains by protecting customers and building trust. The security posture of any organization is at the heart of the customer experiences it provides. Protecting customer identities and data can be the difference between being in business next year and being gone.
Forrester Research’s 2022 Security and Risk Forum session provided practical, pragmatic advice and information for security and risk professionals. He challenged them to take control of cybersecurity initiatives, which is a core competency of their businesses.
Two presentations provided insight into how CISOs can deliver more value and advance their careers. One was “Cybersecurity Drives Revenue: How to Win Every Fiscal Battle” by Jeff Pollard, vice president and principal analyst at Forrester. The other was “Communicating Value: A CISO’s Business Acumen Primer” by Chris Gilchrist, also a principal analyst at Forrester.
CISOs must ease their growing influence
The degree of confidence and effectiveness of a given company’s security posture affects its revenue and deal pipeline. How close is an organization to achieving its zero-trust initiatives, including multi-factor authentication (MFA), identity access management (IAM), and privileged access management (PAM) ? The answer will determine whether she will qualify for cyber insurance and what the premiums will be.
Smart Security Summit
Learn about the critical role of AI and ML in cybersecurity and industry-specific case studies on December 8. Sign up for your free pass today.
And a business must show business buyers that cyber insurance is in place before it can benefit from larger sales opportunities and transactions, and before buyers sign a purchase agreement. and issue their first purchase orders. “When something hits as much revenue as cybersecurity, it’s a critical skill. And you can’t pretend it’s not,” Pollard said during his presentation on how cybersecurity generates revenue. income.
>>Don’t miss our new special issue: Zero trust: The new security paradigm.<
CISOs need to demonstrate growing influence and prove that they and their teams can be counted on to drive revenue. A great way to do this is to focus their teams on how cybersecurity investments protect and build customer trust. “This means that security is now a driver of business strategy rather than buried as an operational line item only to be managed and measured as a cost. In other words, security now has the latitude to champion and drive growth,” said Gilchrist.
“I see more and more CISOs joining boards of directors. I think this is a great opportunity for everyone here [at Fal.Con] to understand what impact they can have on a business. From a career perspective, it’s great to be a part of this boardroom and help them on their journey – to ensure business resilience and security,” said George Kurtz, co-founder and CEO of CrowdStrike, during his speech at his company’s annual event. He continued, “Adding security should be a business enabler. It should be something that adds to the resilience of your business, and it should be something that helps protect the productivity gains of digital transformation.
As cybersecurity is a cost of doing business, CISO roles are now strategic and can morph into board-level positions. CISOs who excel at leading their teams to drive revenue gains are key to helping boards understand how technology reduces enterprise-wide risk. “While CISOs need to continue to work on translating technology and technical risk into business risk, and be able to better convey that risk story to their board, across the aisle we we need the board to be able to understand the true implication of cyber risk on ultimate shareholder value and business objectives,” said Lucia Milica, global resident CISO at Proofpoint.
Proofpoint’s recent report, Cybersecurity: The 2022 Board Perspective, found that 73% of boards have at least one member with cybersecurity experience. Additionally, most board members (77%) think cybersecurity is a top priority for their board itself. So, “the CISO’s role is evolving from a technical specialist to a business executive who can understand where business value comes from and explain to the board how to protect it,” said Betsy Wille, director of The Cybersecurity Studio and former CISO at Abbott.
How CISOs can drive revenue gains
Here are some critical areas that CISOs and their teams need to focus on to drive revenue: identifying how cybersecurity practices affect deal flow; reduce barriers to entering new markets by complying with regulatory requirements; and reduce breach costs. Jeff Pollard’s presentation offered a four-step approach to identifying the impact of security spending on revenue.
- Identify requirements for security controls.
- Quantify the current aggregate value of the contract and the lifetime value of the customer.
- Link expense allocations for all controls that meet these requirements.
- Then, total each of these items separately as reasons for security expense allocations.
One of the main benefits of following this framework is that it quantifies the value of customer risk reduction. Additionally, CISOs who attend board meetings with quantified risk assessments speak the language of board members. It is an excellent career strategy to gain visibility and promotion.
The objective of the Forrester methodology is to determine the cost of a specific security investment per customer and the revenue generated by that specific customer segment. Essentially, the methodology examines the return on security investment while quantifying what is at stake if the customer base is not protected.
Knowing the number of customers who rely on an organization to protect their identity using Privileged Identity Management (PIM) and the amount of revenue generated by those customers helps determine the percentage of the security budget that should be spent on the IMP. “We spend Z; they’re responsible for Y revenue. You can also recognize in-game revenue if you got rid of that control… if you didn’t have the budget to renew that control, renew the licenses… to support it,” Pollard explained during of his presentation.
For example, suppose 330 customers need an enterprise-level PIM to protect their identity, at an annual cost of $250,000. The cost per customer is $757.58. The analysis then takes the total annual revenue of customers requiring PIM and divides it by the costs of implementing a PIM system, yielding the costs per revenue of customer security coverage. Thus, Forrester’s analysis also provides value to CISOs by helping them quantify the revenue risk of not adequately protecting customers.
CISOs can use this analysis to protect their budgets by considering whether it’s worth putting millions of dollars in revenue at risk by not spending the $250,000 to protect them. Extending it to all line items in a budget gives a CISO significant bargaining power in negotiations with a CFO and the board. It also provides a consolidated financial view of the cost of risks in the event of budget cuts.
Additionally, for CISOs interested in advancing their careers, risk quantification is what boards are focusing on today.
CISOs need to be bold to deliver value
CISOs face a number of challenges, including consolidating their technology stacks, doing more with less staff thanks to a chronic shortage of security manpower, and continued pressure to cut budgets. They therefore need a methodology to defend their budgets. As security budgets evolve, so do the careers of entire departments.
Showing how security generates revenue and knowing how to quantify risks is a valuable skill that CISOs and their teams must develop. Boards of directors think and speak in these terms. Thus, CISOs who develop them early on as a skill set will boost their careers and may eventually gain promotion and a role on the board.
VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Discover our Briefings.