BLACK HAT ASIA 2022 – When it comes to demonstrating the value of cybersecurity to a business, one of the biggest challenges is communicating ROI to the C-suite. The entrenched perception of security as an obstacle to productivity and other areas makes it very difficult for security engineers and nontechnical management to be on the same page.
During a keynote at Black Hat Asia this week, George Do, CISO at Gojek and GoTo Financial and former cyber-pro at NASA, tackled the problem of how to encourage security to be viewed as a valued part of the business for all departments, not just the CISO’s office. It starts, he said, with quantifying that security effectively.
“All your investments into security, all of your hiring, all your projects, all of the blood, sweat, and tears that security staff puts into the trenches – does any of it matter? Is it meaningful?” he asked during the presentation, entitled, “Moving the Security Needle From the Security Trenches to the Boardroom.” “You have to be able to answer that” and show why.
Security teams often have an uphill battle internally because of a lack of communication between departments. Take, for instance, the common misconception among average workers that security is there to make everyone’s lives harder. Do referred to it as “ivory tower security,” where the security apparatus appears to everyone else to be removed and prone to delivering a litany of “no’s.”
“Many of our organizations view the security