This slide is what I do all day long.

How can I mitigate the most amount of security risk for the least amount of resource spend?

Now there is a major obvious problem with this equation. Cybersecurity readers are already giving me side eye.

How do we measure risk?

We can put a concrete number to the denominator here: We know (or can know) how much money we are spending on security. But how do we know if it's doing any good?

Maximizing Security ROI is a CISO's strategic goal. But how can my employer measure success when measuring cybersecurity risk remains an unsolved problem in computer and actuarial science?

Also, how can a CEO and Board of Directors set a risk threshold for a CISO? How can the Board say "we want to reduce risk to this watermark but we do not authorize spend below that, we accept any further risk"--a reasonable thing for the Board to want to do--when again, the measurement problem continues to get in the way?

These are the central unsolved problems for the CISO, but since we still have to act in the real world and spend money in the most efficient and sensible way we can find, we find other ways to make concrete decisions, and then validate those decisions.

The most effective way to measure defensive security risk and ROI is to measure an attacker's criminal ROI. Attackers will always use the cheapest attack tools available to get their job done, and spending money as a defender to make their lives more difficult is money well spent.

Where can I find asymmetric spend that will force an attacker to spend a lot more money to attack my employer? By so doing I either 1) encourage opportunistic attackers to go attack someone else or 2) I buy myself some time.

An example of such an asymmetric spend would be Yubikey FIDO 2FA. Phishing is the cheapest and easiest weapon that most attackers will reach for first. Yubikey FIDO 2FA prevents almost all such attacks, forcing attackers to spend more money and time to attack you.

There are other ways to measure security risk and security spend--like benchmarking against industry norms or security standards like ISO 27001 or NIST--but the hard work of a CISO is not just slavishly following a security standard that may or may not be relevant to your organization, but thinking critically about the real risks your employer faces and crafting a strategy specifically to manage those security risks as inexpensively as possible.

Security ROI remains unmeasurable for the same reason that we cannot measure security risk. But that does not change the nature of the job, or the strategic need for a CISO to focus always on Security ROI. Finding creative ways to solve this problem is the true test of a CISO’s performance.