Quantifying CISO Value

The average cost of a data breach for US companies in 2019 is over $8M, compared to about $4M globally, according to IBM's Cost of a Data Breach report. More disturbingly, as noted on page 30 of the report, Human Error accounts for nearly a quarter of all data breaches. Considering that 69% of Cyber professionals say that their teams are understaffed, this is not surprising. Lack of skills, lack of bandwidth, and increasingly aggressive cyber actors, continue to drive up the value of competent security teams. In this article, I'll try to put an actual number, in US Dollars, on the value of the right cybersecurity leadership in an organization.

We can approximate the dollar value of a CISO by determining the factors relevant to data breaches under their control, along with the average cost associated with each factor. IBM's Cost of a Data Breach report identified 26 quantifiable factors that can mitigate or increase the cost of a breach, which are highlighted in the graphic below.

While a typical CISO will have responsibility over a majority of these factors, some are inherently outside of their direct decision-making purview, given their scope.

Some factors, like "CPO Appointed" and "Consultants engaged", typically require navigating budgetary and headcount restrictions that may not be 100% under a CISO's control, but deciding how to prioritize these factors, and effectively communicating those priorities up and down the chain of command, is the CISO's responsibility. Factors such as "DevSecOps approach" and "Extensive cloud migration" are too broad to fall solely under a CISO, and are often factors related to decisions made by the CIO/CTO. Similarly, factors such as "Extensive use of mobile platforms" and "System complexity", are often the result of the decisions made prior to hiring a CISO, or inherent to the nature of a business (i.e. if a company is in mobile gaming, there is no escaping the fact that extensive mobile platforms will be in use).

Cost mitigators outside of a CISO's purview can include; DevSecOps approach (-$280,000), Board Level Involvement (-$180,000), and CISO Appointed (-$180,000). This means that a CISO can mitigate $2,790,000 of the $3,430,000 in costs associated with a data breach (about 81%).

Cost amplifiers outside of a CISO's purview can include; Extensive Use of IoT Devices (+$160,000), Extensive use of mobile platforms (+$240,000), OT Infrastructure (+$260,000), System Complexity (+$290,000), and Extensive Cloud Migration (+300,000). This means that a CISO has control over only $1,160,000 in potential amplifications to cost, out of a potential $2,410,000 (about 48%).

The right CISO is much more valuable to an organization before a data breach, as they lay the groundwork for preventing and dealing with breaches in the most cost effective manner possible. Organizations and companies should invest in their security leadership sooner rather than later, as the right CISO will have a multi-million dollar impact on their company's bottom line.

How do you quantify the value of a CISO? Are the cost mitigators and amplifiers I've identified as the CISO's responsibility consistent with your organization? Let me know what you think!