A Nontraditional Approach to Prioritizing and Justifying Cybersecurity Investments

Investments in cybersecurity tend to be fairly significant, so organizations continually seek ways to determine whether the investments are appropriate based on return. However, companies are challenged to apply and fit the traditional discounted cash flow methods to calculate a return on investment (ROI) and justify cybersecurity initiatives. Return on (cyber)security investment (ROSI) with a method to quantify the intangible returns on cybersecurity initiatives are even harder to calculate than traditional IT initiatives using traditional accounting methods.

The perceptions and views of non-IT management toward cybersecurity are among the contributing factors posing the challenge to justify the expense of such initiatives. A communication gap has resulted and is apparent in some of the following views and questions:

• Security is not an investment.
• Is cybersecurity an IT discipline?

The investment justification methodology proposed in my recent Journal article applies to situations in which company competitiveness is examined, critical success factors are defined, and risk and challenges are identified. The objective of the company’s cybersecurity decision model (CSDM) is to frame cybersecurity initiatives with justifications in alignment with company business objectives and governance.

One critical component of my proposed cybersecurity investment decision model formation is based on the company’s collective efforts managed in a workshop environment. The tool used in the workshop based on analytic hierarchy process (AHP) is the technique used to facilitate and determine the degree of impacts and priorities of the proposed initiatives

Figure 1—Example of Cybersecurity Decision Model 

View Large Graphic.

Source:  Robert Putrus. Reprinted with permission.

In my recent Journal article, I stated several benefits and byproducts to expect through the use and performance of the ROSI nontraditional justification methodology, including:

1. Establishing a clear and dynamic link among company goals, objectives, risk and cybersecurity initiatives
2. Elevating cybersecurity planning and implementation to the corporate governance level with easier interpretation for nontechnical and technical personnel
3. Providing a communication platform for management team alignment and support
4. Developing a company business model that is well understood by the management team and other company entities
5. Identifying and prioritizing the interrelated elements where management is able to establish better planning, rationalization and deployment of initiatives
6. Quantifying the impact the proposed initiative might have on each of the company objectives and on the bottom line
7. Seeking the support of the management team for future departmental initiatives and operational decisions

Read Robert Putrus’s recent Journal article:
“A Nontraditional Approach to Prioritizing and Justifying Cybersecurity Investments,” ISACA Journal, vol. 2, 2016.

Robert Putrus, CISM, CFE, CMC, PE, PMP

[ISACA Journal Author Blog]