international regulatory compliances, such as GDPR (General Data Protection Regulation). This means that organisations are obliged to buy security products and services, even if they have a high ‘risk appetite’. Generally, risk appetite is the level of risk that an organisation is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefi ts of innovation and the threats that change can be expected to bring. In this regard ROI is helped by the fact that failure to comply can result in penalties: so a €50,000 expenditure in secure IT is obviously preferable to a €60,000 fi ne when enterprise security is found wanting. Executive personnel can add something to the cyber ROI debate

by keeping their organisations’ risk appetite defi ned and up-to-date. “Top management and the board should have serious conversations that focus not only on acceptable losses, but also on what investors and regulators might consider a reasonable level of cyber defence, detection and response,” according to Norman Marks, author of Risk Management in Plain English: A Guide for Executives. “Any defi nition of ‘risk appetite’ should probably be based on the likelihood of a serious [cyber] breach, rather than on the amount of loss.”

toward new models of return measurement From the technologists’ perspective, organisational risk appetites have tended to be suppressed. The IT function wants to demonstrate that it can select, install and manage security infrastructure that detects and stops threats. It also implements security policies that ensure your workforce abides by acceptable usage rules. An executive perspective on deciding security exposure may,

moreover, take into account priorities that diff er from those of the IT function. For instance, it may decide that it’s not absolutely necessary to maintain 100% protection of all data assets. This means security resources can be concentrated on safeguarding the most valuable data assets that hackers try to get at.

Emergent models for cyber security

ROI also need to broaden to take into account the indirect cost savings that tech advances can introduce; but these will likely only serve as secondary considerations, says Barracuda Networks’ Klaus Gheri. “There can be direct cost savings

through investing into a new security tool which, for instance, requires less human attention to operate. That’s the easy part,” Gheri explains. “More frequently, however, that’s not the case, and ROI is calculated by assuming average incident cost of a certain type – which the security investment

now prevents from

happening – times the probability of being hit by such an incident within a period of time – a calendar year, say. The resulting cost savings can then be compared with the associated total cost of the security investment.” If Gheri is correct, probability-based

estimations of cyber attack risk will inform the greater part of collective thinking around this key issue in many organisations.

ACCREDITATION Words | James Hayes Photography | Shutterstock

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58