The Problem with Cyber Security ROI

CISOs being asked those questions should look beyond the topic itself and face the underlying issues it might be hiding.

If the reporting line of the CISO is the oldest ongoing topic of discussion amongst cyber security communities, security ROI is probably the second oldest…

In reality, it hides several endemic problems which have been plaguing the security industry for the last two decades.

First of all, it downgrades cyber security to a mere matter of investments — that would have to be justified — implying that lack of funding and lack of resources are at the heart of low security maturity levels and the cyber-attacks epidemic we have been seeing for the last 10 years.

In fact, problems have largely been elsewhere: Large organisations have committed billions collectively to cyber security over the period; it’s governance and cultural issues which have led to adverse prioritisation and execution failure.

While it might be the case that some organisations have not invested enough in relation to the threats they face, the security ROI discussions are often the sign of arbitrary programmes of work driven bottom-up by a CISO, either replicating recipes applied elsewhere or listening to the sirens of some…