In my 30 years of IT career, I’ve met only one C-level executive with a global understanding of the necessity of investments in information technology, particularly cybersecurity improvements. And I’ve seen a lot of business owners and talented entrepreneurs that build in a short time multimillion dollars companies that need more comprehension of how and why their assets need to be protected. Without digging deep into my memory, I can bring up one episode when the owner of a fast-growing company walked into one of the offices and saw my employee installing a firewall between a provider modem and a local domain with about 30 desktops, a backup server, and a domain controller.
Of course, he asked questions about what was changing and why. After he received the answer that this new device was a firewall meant to protect the corporate network from unwanted traffic and possible hostile intrusions, he raised his eyebrows and replied, “Why do we need it? We can only get hacked if somebody breaks our doorlock and reaches for the server!”. Another episode from not that far ago happened when executives decided to hire the least expensive and the least skilled web development company to save big on external website development. The result of this decision was that the corporate website was defaced by hacktivists twice. And finally, the most painful episode in my memory happens when the combination of multiple factors, such as the lack of employee training, outdated antivirus software with missing updates, improper segmentation, and overuse of privileged accounts in the domain, lead to a massive ransomware attack that almost brought business on the verge of existence.
With all that said, how can technical leaders engage C-level executives to invest in Information Technology, specifically cybersecurity improvements? Sure, the first that comes to mind is explaining cyber attacks’ potential risks and consequences using concrete examples from cybersecurity breaches. Still, most of the time, these conversations are hitting a solid language barrier. As a result, you will hear replays of something like my example at the beginning of the article about “somebody breaks our doorlock.” Good luck to those who will try to explain the advantages of antivirus A versus antivirus B, why this business should prefer one VOIP company over another, or why a working but outdated firewall urgently needs to be replaced or upgraded.
So, where is the solution? The solution is simple – we need to start talking in the same language, and the name of this language is ROI!
Yes, return on investment (ROI) tells you how much money a business will make after investing in a cybersecurity tool. Let’s look into the details of this language. I will use as an example a typical healthcare organization situation.
The organization purchased a computer for a claim coordinator, which contains protected health information for 50 patients. According to HIPAA Reasonable Cause Penalty range is $1,000 – $50,000 per violation, with an annual maximum of $100,000 for repeat violations. We will assume that this is the first violation. However, we managed to soften the heart of the HIPAA investigator, and our penalty will be minimal. So far, the value of our asset is 50x $1,000 = $50,000. For the purpose of this publication, I will omit the cost of the computer, but keep in mind that if an organization suffered from ransomware, IT staff would need to reimage the computer or, in case of the covert channel, baselined.
In case of a severe ransomware attack, covert channel, or misconfigured Data Loss Prevention organization will face a minimum of $50,000 in penalties.
Now, you are doing your homework and weighing all the Pros and Cons of selecting top-notch endpoint detection and response (EDR) that costs around $40 per month or $480 per year.
Assuming the asset value is $50,000, and the annual occurrence rate of a cyber attack is once in five years, the cost of a single attack would be:
$50,000 / 5 = $10,000 per year
Over five years, the cost of a single attack would be:
$10,000 x 5 = $50,000
If the endpoint security solution costs $40 per month or $480 per year, the total cost over five years would be:
$480 x 5 = $2,400 (Remember that I gave a five-year period between the potential incidents, but in reality, it can happen much more often. Unfortunately, even though well-protected by local government, cities like Oakland or even public high schools are being victimized by hacker groups with significant data losses, not to mention small and mid-size healthcare organizations are always a good target for criminals due to the value of patient data they possess)
Therefore, the potential cost savings from using the endpoint security solution over five years would be:
$50,000 – $2,400 = $47,600
To calculate the ROI, we can use the following formula:
ROI = (Gain from Investment – Cost of Investment) / Cost of Investment x 100%
Using the numbers from our example:
ROI = ($47,600 – $2,400) / $2,400 x 100% = 1875%
This means that for every dollar spent on the endpoint security solution, the potential return is $18.75 over the course of five years.
Entrepreneur, business owner, or C-level executive who can say NO to this kind of saving does not exist.
Overall, engaging C-level executives in cybersecurity improvements requires a combination of effective communication, strategic thinking, and relationship-building skills. In addition, taking a proactive and collaborative approach can help build a cybersecurity awareness culture and protect your organization from cyber threats.
You can see comments and reactions to this article on LinkedIn.