//
you're reading...
Information Security, IT & TECHNOLOGY

A Nontraditional Approach to Prioritizing and Justifying Cybersecurity Investments


ISACA-Logo

Investments in cybersecurity tend to be fairly significant, so organizations continually seek ways to determine whether the investments are appropriate based on return. However, companies are challenged to apply and fit the traditional discounted cash flow methods to calculate a return on investment (ROI) and justify cybersecurity initiatives. Return on (cyber)security investment (ROSI) with a method to quantify the intangible returns on cybersecurity initiatives are even harder to calculate than traditional IT initiatives using traditional accounting methods.

The perceptions and views of non-IT management toward cybersecurity are among the contributing factors posing the challenge to justify the expense of such initiatives. A communication gap has resulted and is apparent in some of the following views and questions:

  • Security is not an investment.
  • Is cybersecurity an IT discipline?

The investment justification methodology proposed in my recent Journal article applies to situations in which company competitiveness is examined, critical success factors are defined, and risk and challenges are identified. The objective of the company’s cybersecurity decision model (CSDM) is to frame cybersecurity initiatives with justifications in alignment with company business objectives and governance.

One critical component of my proposed cybersecurity investment decision model formation is based on the company’s collective efforts managed in a workshop environment. The tool used in the workshop based on analytic hierarchy process (AHP) is the technique used to facilitate and determine the degree of impacts and priorities of the proposed initiatives

Figure 1—Example of Cybersecurity Decision Model 

View Large Graphic.

Source:  Robert Putrus. Reprinted with permission.

In my recent Journal article, I stated several benefits and byproducts to expect through the use and performance of the ROSI nontraditional justification methodology, including:

  1. Establishing a clear and dynamic link among company goals, objectives, risk and cybersecurity initiatives
  2. Elevating cybersecurity planning and implementation to the corporate governance level with easier interpretation for nontechnical and technical personnel
  3. Providing a communication platform for management team alignment and support
  4. Developing a company business model that is well understood by the management team and other company entities
  5. Identifying and prioritizing the interrelated elements where management is able to establish better planning, rationalization and deployment of initiatives
  6. Quantifying the impact the proposed initiative might have on each of the company objectives and on the bottom line
  7. Seeking the support of the management team for future departmental initiatives and operational decisions

Read Robert Putrus’s recent Journal article:
A Nontraditional Approach to Prioritizing and Justifying Cybersecurity Investments,” ISACA Journal, vol. 2, 2016.

Robert Putrus, CISM, CFE, CMC, PE, PMP

[ISACA Journal Author Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 121,178 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,357 other followers

Twitter Updates

Archives

March 2016
M T W T F S S
« Feb   Apr »
 123456
78910111213
14151617181920
21222324252627
28293031  
%d bloggers like this: