As the markets bleed red and you're eyeing your bottom line, how much security spend is right for your enterprise?

Security is a function of finance. If that seems strange to you, consider: If you want to secure a $10 million diamond, would you spend $10 million to do so?

Of course not. That doesn't make any sense. The right security spend is a function of the value of what you're protecting. There should always be an asymmetry between your security spend and what you're securing.

That leads us to Security ROI.

A CISO's job is strategic risk management. That means targeting limited resources (time, money) to reduce as much risk as possible. So the question then becomes: How much risk am I taking off the table per spend?

What's my Security ROI?

This question sometimes surprises people. Security is not a Platonic ideal, it is not a quest for perfection, it is not a moral crusade. When you are running a business, carrying risk is a part of doing business--economic risk, regulatory risk, legal risk, financial risk, cyber risk. Trying to eliminate risk is foolish, because then you lose sight of your business objectives.

The security function--the executive security function, embodied in the CISO--is about advising the CEO and board about the cyber risks they carry, and about managing that risk to a level acceptable to the CEO and the board. It's really as simple as that.

However, for this to work it's critical that the CEO and board understand that risk means just that--risk. A CEO who demands that I "build a wall to keep the hackers out" or "make sure nothing bad ever happens" is not a CEO I'd want to work for, because those are unrealistic demands no ethical or competent security professional would ever promise.

So educating executives about the nature of cyber risk becomes a critical skill for a CISO to master. Let's be honest, cybersecurity is an abstract and counterintuitive field, and a CEO can hardly be master of every domain. After all, it's not their job to be. That's why they hire executive specialists like a General Counsel, a CFO, and a CISO to manage legal, financial, and cyber risk respectively.

So how much security spend is the right amount of security spend for your business--especially in a bear market where every budget line item matters?

Well, what are you securing? How much is it worth? How high is the risk of loss? What asymmetric spend options are there, and how much risk will they take off the table?

What's your Security ROI?