One of the fastest ways a CISO can earn a promotion is by proving their Security team can generate Revenue by protecting customers and strengthening their trust. Every organization’s security posture is at the heart of the customer experiences it delivers. Protecting customer identities and data can mean the difference between doing business next year and no more.

Forrester Research’s Security and Risk Forum 2022 session provided practical, pragmatic advice and insight to security and risk professionals. It challenged them to take control of cybersecurity initiatives, which is a core competency of their company.

Two presentations provided insight into how Cisos can deliver more value and advance their careers. One was “Cybersecurity Boosts Revenue: How to Win Every Budget Battle” by Jeff Pollard, VP and Principal Analyst at Forrester. The other was “Communicating Value: A CISO’s Business Acumen Primer” by Chris Gilchrist, also a principal analyst at Forrester.

CISOs must increase their growing influence

How reliable and proven a company’s security posture is impacts its revenue and deal pipeline. How close is an enterprise to achieving its zero-trust initiatives, including Multi-Factor Authentication (MFA), Identity Access Management (IAM), and Privileged Access Management (PAM)? The answer will determine whether it qualifies for cyber insurance and what the premiums will be.

And a company must show business buyers that it has cyber insurance before it qualifies for larger sales opportunities and deals, and before buyers sign a purchase contract and issue their first purchase orders. “If something generates as much revenue as cybersecurity, that is a core competency. And you can’t argue that it isn’t,” Pollard said during his presentation on how cybersecurity generates revenue.

>>Don’t miss our new special issue: Zero trust: the new security paradigm.

CISOs must increase their growing influence and prove that they and their teams can be counted on to drive revenue. A great way to do that is to focus their teams on how cybersecurity investments protect and build customer confidence. “This means that security is now a driver of business strategy rather than buried as an operational line item that only needs to be managed and measured as a cost. In other words, security now has the leeway to defend and drive growth,” said Gilchrist.

“I see more and more CISOs joining boards. I think this is a great opportunity for everyone here [at Fal.Con] to understand the impact they can have on a business. From a career perspective, it’s great to be a part of that boardroom and help them on the journey — to keep the company resilient and secure,” George Kurtz, co-founder and CEO of CrowdStrike, said during his keynote at his company’s annual event. He continued: “Adding security should be a business driver. It has to be something that contributes to the resilience of your business, and it has to be something that helps protect the productivity gains of digital transformation.”

Since cybersecurity is a cost of doing business, CISOs’ roles are now strategic and may evolve into board-level functions. CISOs who excel at leading their teams to realize revenue gains are key to helping boards understand how technology mitigates enterprise-wide risk. “While CISOs must continue to work on translating technology and technical risk into business risk, and be better able to tell that risk story to their board, we need the board across the aisle to understand the real implications. of cyber risk to ultimate shareholder value and business goals Lucia Milica, Global Resident CISO at Evidence.

Proofpoint’s recent report, Cybersecurity: the 2022 Plate Perspective, found that 73% of boards have at least one member with cybersecurity experience. In addition, most board members (77%) believe cybersecurity is a top priority for their board itself. So, “the role of the CISO is evolving from a technical specialist to the business leader who can understand where business value comes from and communicate to the board how to protect it,” said Betsy Wille, director of The Cybersecurity Studio and former CISO at Abbott. .

How CISOs can generate revenue

A few critical areas that CISOs and their teams should focus on to generate revenue include: identifying how cybersecurity practices affect deal flows; reducing barriers to entry into new markets by complying with regulatory requirements; and reducing infringement costs. Jeff Pollard’s presentation suggested a four-step approach to identifying the revenue impact of security spending.

1. Identify security audit requirements.
2. Quantify overall current contract value and lifetime customer value.
3. Link expense allocations for all controls that meet those requirements.
4. Then add up each of these items individually as reasons for the security spend allocation.

A major benefit of following this framework is that it quantifies the value of reducing customer risk. In addition, CISOs attending board meetings with quantified risk assessments speak the language of the board members. That is a great career strategy to earn visibility and promotion.

The goal of the Forrester methodology is to determine how much a specific security investment costs per customer and how much revenue that specific customer segment generates. Essentially, the methodology looks at return on security investment and also quantifies what is at stake if the customer base is unprotected.

Knowing how much customers rely on an organization to protect their identity through privileged identity management (PIM), and how much revenue customers contribute, helps determine what percentage of the security budget should be spent on PIM. “We issue Z; they are responsible for Y income. You can also table the revenue at stake if you lose that control…if you don’t have the budget to renew that control, to renew licenses…to support it,” Pollard explained during his presentation.

For example, suppose 330 customers require enterprise-grade PIM to protect their identities, at an annual cost of $250,000. The cost per customer is $757.58. The analysis then takes the total annual revenue of the customers requiring PIM and divides it by the cost of implementing a PIM system, resulting in the cost per revenue of security coverage for the customer base. Thus, Forrester’s analysis also delivers value to CISOs by helping them quantify the risk to revenue if customers are not adequately protected.

CISOs can use this analysis to protect their budgets by questioning whether it’s worth putting millions of dollars of revenue at risk by not spending the $250,000 to protect it. Extending this across all line items in a budget gives a CISO significant bargaining power in negotiations with a CFO and board. It also provides a consolidated financial view of the cost of risk as budgets are reduced.

Also for CISOs interested in advancing their careers, risk quantification is what boards are focusing on today.

CISOs must be bold about delivering value

CISOs face a number of challenges, including consolidating their tech stacks, getting more done with fewer people thanks to a chronic shortage of security staff, and continued pressure to cut spending. Therefore, they need a methodology to defend their budgets. As security budgets go, so do the careers of entire departments.

Showing how security generates revenue and knowing how to quantify risk is a valuable skill for CISOs and their teams to develop. Boards of directors think and talk in these terms. So CISOs who develop them as skills early on will boost their careers and may eventually earn a promotion and a role on the board of directors.