Communicating Cyber ROI as a CISO to the Board
When you need to communicate the value of your cybersecurity solutions to the board, you should focus on showing solution effectiveness against threats.
The board is dealing with many cost pressures on a daily basis, and they need to know just how effective your proposed solution is – they want to see the ROI. While traditional ROI is an active return of investment, cyber ROI is more about mitigating costs/risk.
Showing cost mitigation to the board
Without quantifying risk to your organisation, there is no way to communicate cyber ROI effectively to the board. Board members want tangible numbers to evaluate whether your proposal is worth it or not.
By quantifying the full solution costs and comparing scenarios with an implemented solution and the amount of mitigation it gives you against a scenario where the solution was not implemented yet, you will easily show the percentage of solution cost compared to turnover.
Why show cyber ROI?
When you can show some tangible numbers, you can speed the budget approval to get your solutions implemented quicker.
ROI allows the board to understand cybersecurity how they “need to know” it – the financial impact of threats and solutions, without all the techy stuff.
By showing ROI, you also demonstrate and prove your worth as an important job function. The same way that marketing ROI means getting more customers and leads, cyber ROI means the IT department will be mitigating risk.
5 tips for communicating cyber ROI as a CISO to the board:
1. Have your numbers straight
Just as marketing departments use storytelling, you will also use storytelling when you run multiple scenarios with different cyber risks to more easily show them the outcome of each scenario and how you got to it.
In this part, you must be crystal clear on how you got to the figures for different scenarios – e.g., what was included in the cost (days offline, turnover, fines, and similar).
2. Visuals make more of an impact
Numbers, while important, are a bit bland, so use visuals to your advantage when presenting your scenarios and findings. A few well-placed graphs, especially if interactive where you can add different solutions and see their impact in real-time, will drive your point across much better.
3. Talk in finances (money) and figures
Things like high risk and high priority don’t mean much to the board because they can’t be sure what they mean. While you know the impact of the term “high risk,” the board doesn’t, so stick to financial figures and the tangible impact on the bottom line instead of levels of risk.
4. Work with other departments
Other departments are dealing with cyber risks too, so make sure to collaborate with them and include their “risks” into your figures as well. When they know you are watching their back, they will be more likely to support you and be on your side during the meeting.
5. Use tools to your advantage
With tools like Boardish, you can put real figures that pertain to your exact organisation for each type of risk, and show to the board exact figures that they could potentially have to deal with in case of a cyber threat. In addition, you can also include various solutions and show how much risk they mitigate and how effective they are.
Remember, the board will be more inclined to approve your budget when they know exactly how your solutions will affect the organisation, so always communicate cyber ROI in tangible figures. The right tools, like Boardish, can help you do this.