CISO Makes a Quick Pitch to Restore Security Project Budget Based on Cost Benefit Analysis

February 2, 2023  Zach Kramer

Budget Discussion - CISOWe recently helped a CISO quickly turn around a cost benefit analysis using cyber risk quantification to make the case to save an important security project from death by budget cut.  Here’s the story: 

The CISO knew he had a serious problem with unstructured data on a critical network share – his team didn’t know exactly what data was there or how to protect it. 

Zach-Kramer-Risk-Consultant-RiskLensZach Kramer is a Professional Services Manager for RiskLens, the leader in quantitative analysis for cyber and operational risk. 

He had secured budget for a data retention project (including improved monitoring and logging to identify anomalous user activity) and a data protection project (for DLP and other controls). 

Then, just as the CISO was heading out the door for end-of-year holidays, word came down: the data protection project had fallen out of budget. 

Together our RiskLens team and the CISO were able to make a compelling case to save the project, with only on a few phone calls and emails going back and forth – but grounded in RiskLens data science and the capabilities of our quantitative risk analytics platform. 

Applying FAIR Quantitative Cyber Risk (CRQ) Analysis

In consultation with the CISO, we scoped out two simple risk scenarios for FAIR quantitative analysis, a breach of critical PII by 1) insider misuse and 2) by external actor via ransomware. 

To fill out our analysis, we used these tools in the RiskLens platform

  • Content packs: Risk scenarios ready made for plug and play
  • Loss tables: cost of cyber loss events specific to the CISO’s organization (for instance, labor costs for incident response), previously recorded by structured data gathering enabled by the platform.
  • RiskLens Catalog: the data catalog delivers ready-to-use data and content that  significantly reduces the time and resource investments spent quantifying the risks most common to your organization.

We only needed a few more data points from the CISO to complete the analysis: an estimate on probable record count loss for each scenario and some initial cost details for the proposed risk treatments.

CRQ Analysis with the RiskLens Platform 

We were then able to run a risk treatment analysis through the RiskLens platform with the  results below, comparing the current state of risk to the probable reductions in risk. Under analysis, the data protection project on the chopping block promised to deliver the most risk reduction. Bottom line: the CISO was ready to present to his security committee a strong, defensible case to preserve budget based on return on investment.

click for larger image

RiskLens Platform - Cost Benefit Analysis-1

Explore our solutions: Depending on your needs, RiskLens offers an enterprise-level risk quantification SaaS platform or risk quantification as a managed service, as well as the My Cyber Risk Benchmark tool to compare your cyber risk levels against industry peers.