Communicating Cybersecurity ROI to Your CFO

Cloud Security Alliance cloudsecurityalliance.org

RelatedCollectionsHighlights

As an example, imagine a company expanding into Europe. That expansion is subject to General Data Protection Regulation (GDPR), and this will influence priorities and investments in areas that may not be as critical to a purely security-focused program. A valuable CISO recognizes the business need and context for the controls they recommend. In thi

Dark Reading • Rethinking Cybersecurity's Structure & the Role of the Modern CISO

The language of business, according to Curry, can be summarized in six concepts:

Revenue

Employee efficiency

Strategic value

Cost

Risk

Customer satisfaction

Fred O'Connor • Now That Security Leaders Have Been Invited Into the Boardroom, What Do They Say?

Companies have used the risk-based approach to effectively reduce risk and reach their target risk appetite at significantly less cost. For example, by simply reordering the security initiatives in its backlog according to the risk-based approach, one company increased its projected risk reduction 7.5 times above the original program at no added co

Jim Boehm • The Risk-Based Approach to Cybersecurity

Both Easterly and Zhora stress the importance of communicating cyber risks in a language that resonates with business decision-makers. This enables informed decision-making when allocating resources to cybersecurity initiatives. By aligning cybersecurity efforts with business goals, organizations can view cybersecurity not merely as a constraint, b

ctsmithiii • Building Cyber Resilience in an Age of Growing Threats

Executives are often forced to make sense of a long list of sometimes conflicting metrics. By linking KRIs and KPIs, the cybersecurity team gives executives the ability to engage in meaningful problem-solving discussions on which risks are within tolerances, which are not, and why (see the sidebar, “Linking a KRI to a KPI”).