Proving the ROI of Cybersecurity

The role of the CISO isn't simply an IT function anymore; today's CISOs have an increased focus on business enablement, as well as risk management.

Today, the role of CISOs and their teams extend beyond simply mitigating threats and now involves working in concert with other teams to use security tools to accelerate time-to-market, improve innovation, enhance collaboration to deliver consistent and better business outcomes and user experiences. Security is no longer a consideration once an application goes into production. Indeed, from the DevOps process to lifecycle management and the enabling customer journey, security is an integral part of the digital enterprise. For CISOs, this involves a a balance of business leadership, communication skills and security expertise to address everything from Advanced Persistent Threats to securing the company’s omni channel engagement strategy.

Author: Jonathan Nguyen-Duy, VP of field CISO, Fortinet
Author: Jonathan Nguyen-Duy, VP of field CISO at Fortinet.

Although almost everyone would agree that cybersecurity is everyone's responsibility, the reality is that at most organizations, ultimate accountability falls on the CISO and the board – not shared responsibility spread across multiple vendors and service providers.

Many operational metrics have traditionally been used to measure the effectiveness of cybersecurity initiatives such as, the number of events, the number of escalated incidents, number of false positives, Mean Time to Detection (MTTD), Mean Time to Respond (MTTR), Mean-Time-to-Remediation, number of systems with known vulnerabilities, and a slew of other key performance indicators. While these metrics remain important, CISOs are now being asked to show cybersecurity ROI and demonstrate how their initiatives support better business outcomes and user experiences. These are the emerging new KPIs as digital transformation takes hold and the marketplace shifts to contactless commerce and public services as manifested in work from anywhere, telemedicine, remote learning and cloud computing. Cybersecurity today is as much about risk management as it is about ensuring the success of the enterprise and its stakeholders. Thus, it makes sense for CISOs to look at security through the lens of key performance indicators that demonstrate tangible business results.

The classic quote from Peter Drucker, “If you can’t measure it, you can’t improve it,” is relevant for CISOs in this situation. The question is what operational data do you have that indicates how cybersecurity affects the business?

Customer Experiences Matter

Although you could make the argument that too many companies ignore it, the Return on Investment (ROI) from improving the customer experience is well documented. Quite simply, customer-centric companies are more profitable and generate more revenue. The trick to improving the customer experience is to understand exactly what matters to your customers. Unfortunately, what an organization thinks their customers want may not be what is actually important to them.

For example, most people assume that faster is always better, but depending on your industry, the speed of service may matter less than price or transparency. Without complete data, it's difficult to know what customers find most important. You can look at the American Customer Satisfaction Index or perform online surveys, but these options are often either too general or provide only a small glimpse into the way a customer feels during a small window in time.

Customer Preferences and Experience Drivers

In looking for ways to measure customer experience, the move to enable work from anywhere may offer an opportunity for CISOs to quantify the value of security on the business by providing valuable data on what happens when customers engage with the organization.

Security needs to be consistent with the same experience everywhere, so more organizations are looking at Zero Trust Network Access (ZTNA), which provides consistent security no matter where the user is located. ZTNA enforces security policies across the network, the cloud, and off-network.

A side effect of implementing ZTNA is that you can use the data, application, user, and criticality assessment for Zero Trust planning to map the customer journey as well to gain a better understanding of your customers application and data usage. You can gain key insights about touch points and operational metrics that definitively show exactly what moves the needle. In addition, you can also see specific customer preferences and experience drivers about how they like to be served. The data can give you answers to questions such as:

  • Is your service reliable?
  • Is it transparent?
  • Is it easy to access?
  • Is the service quality high?
  • Is it worth the person's time and money?

Operational data about the number of failed logins, trouble tickets, help desk tasks, ecommerce transactions, views, conversions, customer hand-offs, wait times, application performance, revenue and other KPIs can all be tracked to better understand how investments in security yield tangible, real-world business outcomes.

Authentication, controlling access, and user identity are all elements of ZTNA that can provide data you can analyze. Of course, implementing Zero Trust may not happen overnight, but improving what you already have can move you along your zero-trust journey sooner, rather than later. A few key questions to ask:

  • Where do my apps reside today?
  • What projects are ongoing? Can I add ZTNA at the same time?
  • Where do my users connect from? Where are they located?
  • What timeline do I have to bring my apps to ZTNA?

Once you have the data, you can use a digital experience monitoring solution to garner more insights. By gaining visibility into network and application performance, you can more easily identify service bottlenecks or network performance issues that affect the customer experience.

Data Is a Business Opportunity

Digging deeper into how security enables the business itself makes it possible to determine the ROI and use this information to justify expenditures in cybersecurity. By strategically implementing ZTNA and then monitoring performance, you can definitively show the impact that security has on the bottom line with detailed customer experience data that every CMO can understand. This is how implementing great security principles can be truly transformative.

For more information on becoming a Managed Security Services partner at Fortinet, click here.

Author Jonathan Nguyen is VP of field CISO at Fortinet. Read more Fortinet blogs hereRegularly contributed guest blogs are part of MSSP Alert’s sponsorship program.