This article was originally published in Hackernoon on 12.13.23 by Charlie Sander, CEO at ManagedMethods.
Additionally, education has undergone a historic digital transformation, which, unfortunately, comes with an increased vulnerability to cyber incidents. Together, these two factors are making cybersecurity a huge concern for schools.
With the influx of funding grants, as well as scrutiny of cybersecurity investments, the traditional approach of evaluating cybersecurity success through technical controls or risk management is no longer sufficient. The return on investment (ROI) in school cybersecurity should also be gauged by its effectiveness in enabling the institution’s future continuity of service and protection of data.
To achieve this, the technology leader and their team must collaborate with other educational executives, including the Chief Financial Officer (CFO), to establish and agree upon cybersecurity ROI metrics. The focus should transition from isolated technical checklists to a comprehensive understanding of the financial and educational impact that the current cybersecurity posture creates and mitigates.
Let’s dive into the comprehensive strategy that schools need to take to measure cybersecurity ROI.
Schools must identify and quantify their risk appetite by defining acceptable thresholds at both the overall and departmental levels. Technology leadership, be it a CISO, CIO, Technology Director, etc., plays a crucial role here in order to align cybersecurity risks with the school’s educational strategy and enable teams to weigh up the benefits of certain strategies against cyber risks. As Deloitte highlights in their report on assessing cyber risks, articulating a clear risk appetite allows for informed decision-making regarding new educational initiatives, technology adoption, or changes in policies.
For instance, the sudden shift to remote learning during the COVID-19 pandemic underscores the importance of evaluating cyber risks associated with strategic decisions. Questions about acceptable losses in the face of cybersecurity incidents become central to decision-making.