Jeff Williams, CTO at Contrast Security, believes that security leaders may be making a mistake in pitching the ROI from cyber resilience investments in terms of financial impact alone. Often, security leaders try to estimate the costs of avoided breaches to demonstrate value in security investments. But the numbers they estimate can be so astronomical that it causes eyes to glaze over. Business leaders and boards simply tend to tune out those numbers, Williams says. “Business leaders are much more responsive to legal requirements such as the new EU Product Liability Directive that creates no-fault liability for software defects, including security vulnerabilities, and cost-savings,” he says. “So, I recommend focusing on metrics like accelerating software development and improved innovation.”
Use both data and stories where possible. “Too many leaders rely on dry and abstract charts about policy, vulnerability rates, mean time to recover, downtime, etc.,” Williams says. “The data is important, but don’t forget the stories that make the data real and compelling. Use those stories to build support for the initiatives you are pursuing.”
Stress the importance of maintaining customer trust, Lenguito from BforeAI says. Point out the need for compliance with legal and regulatory requirements. And do not forget to highlight the potential brand impact and reputation cost of downtime related to a cyberattack. “No cyber insurance will help recover the lost value from your brand,” he says.