In a conversation with CyberCrime Magazine’s Hillarie McClure, Ken Deitz, Secureworks® CSO and CISO, explains how to translate cybersecurity risk into dollars to ensure you're maximizing your investments. He answers questions about how to quantify risk, develop an appropriate security budget, and gain buy-in from C-suite executives and board members—without taking a fear-based approach.
Hillarie McClure
I’m Hillarie McClure, Multimedia Director at Cyber Crime Magazine. Welcome to “Let’s Talk SOC,” a cybercrime magazine podcast series brought to you by Secureworks, a leader in cybersecurity, empowering security and IT teams worldwide to accelerate effective security operations.
Joining me today is Ken Deitz, Chief Security Officer and Chief Information Security Officer at Secureworks. To start off, Ken, want to tell us a bit about your background and role at Secureworks?
Ken Deitz
Like you mentioned, I'm the Chief Security Officer and also the Chief Information Security Officer. The second part, the information security officer, takes up most of my job. So, we're a tech company that provides security services and products, and my job is to make sure our products and our employees are as safe as possible, all while delivering those services to our customers.
Hillarie McClure
Ken, I think a great topic for us to discuss today is “investing in cybersecurity.” And I think a great place to start is with the question of “How can businesses quantify cybersecurity risk in a way that guides investment decisions?” We hear this a lot from folks.
Ken Deitz
That's a tough question for businesses to answer, and there are several different schools of thought out there. But the main thing that businesses need to focus on is actually quantifying the risk. Once you have a good formula for how you're going to quantify the risk to the business and how much potential loss is on the table, then that can guide investments in those areas. So, as an example of that, there's a methodology called the FAIR methodology. And there's a FAIR Institute that has a method to get the amount of loss down to a dollar amount and measure the likelihood and the impact of a cyber event. That's a great place to start to quantify what your investment should look like.
Hillarie McClure
OK, that makes sense. When you put things into dollars – that speaks to everyone, because some boards and executives can have a hard time quantifying risk.
Ken Deitz
Yeah, it’s very hard. I'd say normally, right now, in most of the industry, we do a very qualitative risk assessment. So, a lot of folks in my position will talk to their boards or their leadership and try to tell them this is a high risk, but sometimes it's not clear what that means. To clear it up, we’ll try to put that in terms of dollars and say, “Well, this is a high risk, which means we could potentially be impacted somewhere in the range of $10 million, and it's more likely than not going to happen over the next two years.” And that really brings it home and lets them know, OK, then how much do we want to invest to avoid $10 million of potential impact over the next two years? That makes it easy to start having those conversations.
Hillarie McClure
Yeah, absolutely. And then I guess from there everyone wants to get a return on their investment, of course. How can organizations measure the ROI of their security investments? I know that's another potentially challenging thing for folks to overcome with teams.
Ken Deitz
Yeah, it is challenging, but there are very discrete things you can do. When you are looking to implement something new in your security program, be sure to set out very clear goals for that program. That way you can measure and answer the questions, “Did we meet those goals? Did we not?” But again, if you do a good risk assessment and you know where you want to be at on the likelihood and the loss curve, you can measure that over time and say, “Here's where our overall risk is, and here's where our investments are keeping this risk despite the changing landscape, the growth of the business, or the change in our technologies.
That's one way to measure it. The most popular way would be the goal-based way to measure. Here are the ten goals we set forth in this program, over ”x amount” of time, this is what we want to achieve. “Did we achieve them? Did we hit our budget? Did we not?” Those sorts of things. The main difficulty with showing ROI is you can't really prove a negative, so it's hard to prove how much impact you avoided by having a good program. You can always point to other places in the industry that had big impacts and say, “Well, we didn't look like them.” Even if you're investing a lot, the likelihood is never zero. And the impact is never going to be zero. So, you could always have a big, impacting event, but the question remains, “Is the program performing where we think it should be?
Hillarie McClure
When teams are pulling together budgets for the year, they are going to be thinking about these things. Sometimes I know the budget for security can land within the greater IT budget because of how things are broken out and what have you. So how about how much of the “IT budget” should go toward security, in your opinion, Ken?
Ken Deitz
This is a tough one, but, there are some benchmarks out there. I think Gartner has some great ones. They may be a little aged now, but they have some benchmarks on how much total technology spend goes towards security, and it varies widely by industry. But if you look at the top of the market, the most secure institutions, financial institutions and security organizations like ours, you're looking at close to 10% of their total IT budget on security. And that's a sizable chunk, whereas you'll see less mature organizations or industries will be spending, sometimes south of 5% or 4% of their IT budget. And not surprisingly, some of those would be industries where we saw large impacts, like the recent pipeline ransomware attack. Those are industries where they're really spending single-digit percentages of their tech budget on security.
Hillarie McClure
Ken, my final question for you, which is always another burning question that everyone has is, “How can security leaders get buy-in from C-suite execs and boards to invest in SoC?
Ken Deitz
That's a great question. I would say the first step is you don't want to just go in there and scare them. That seems to be a tactic that a lot of CISOs have taken over the years, and it's an old standby, but it has very limited effectiveness, and it'll wear off quickly. For instance, what if you do your job well and bad things don't happen? You can't keep the fear level extremely high in those cases, so I'd say make sure that your pitch is not fear-based but rather fact-based and focused on the amount of risk reduction you think is appropriate for the business. And that'll of course be a negotiation with the leadership of the company. Some companies want to take more risks. Some companies want to take less risk. Some businesses require more risk. But as long as you are having a risk-based discussion and you're talking about the amount of risk the organization should carry and the amount of investment the organization should make to control that risk, you're going to be much more successful than just trying to scare them and say, “Everything's bad. Give me as much money as possible.
Hillarie McClure
Yeah, that makes a lot of sense, but I can see why that's probably an old “go-to” for folks, especially with everything that's happening now, but scaring people and asking for money is probably, in general, not the greatest approach.
Ken Deitz
Well, it usually works the first time you do it. To me, it doesn't really have legs. It's just not sustainable. And eventually the business is going to come back and say, “Are we really making the right investments here? You've been scaring us for three years. We've been pouring money into this program. Is it worth it? We have other things we want to invest in and do as a business."