Measuring ROI of cyber security Investments

Calculating cyber security ROI helps CISOs determine the value of an offering for their unique security environment. Here are four ways security leaders can evaluate which solution is the right fit for their company

Investing in cyber security has become, without doubt, one of the most crucial aspects for a business – however small or big. The damaging effects of a data breach can be extremely alarming – according to estimates by Cyber security Ventures, the cost of cyber crime damages are expected to touch $6 trillion by 2021! Devising an effective cyber security strategy is a critical way for CISOs to address business risks and promote business health and longevity.

Yet, it’s hard to quantify the returns of cyber security, given the fact that it is a preventive measure – it neither impacts the revenues directly nor does it provide immediate payback. In that case, how does one calculate the ROI of cyber security investments?

Traditionally, ROI is calculated based on returns on cost:

This equation however, works only for investments that yield positive results such as cost savings or revenue enhancements. Cyber security being a pre-emptive investment, its ROI should be based on how much loss the organisation could avoid due to the investment.

There are both quantitative and qualitative ways to arrive at the calculation; a balanced mix of both is recommended. Let’s take a look at them in 4 steps.

Step 1: Calculating the Return on Security Investments (ROSI)

Presented by the SANS Institute, calculating ROSI entails identifying expected losses prevented and the rate of risk mitigation. Here’s the equation:

The calculation involves the following components:

• Annualised Loss Expectancy (ALE): The estimated amount of money that will be lost in a single security incident (single loss expectancy) multiplied by the estimated frequency that a threat will strike within a year (annualised rate of occurrence).
• Mitigation Ratio: Unlike ALE, this is an approximate number. It is arrived at by assessing the predicted number of mitigated risks based on a scoring algorithm established in the organisation. For example, if your company is considering investing in a solution that is expected to reduce the current data security risk by 85%, then the mitigation ratio equals 85%.
• Cost of Solution: This is pretty self-explanatory. This is the only independent index in this equation. It includes all costs associated with solution purchase, implementation and maintenance.

High overall cost can easily negate the value of security investments, making it important to evaluate ROSI before making a purchase.

Although the data used in ROSI calculations are often approximate, using this model in a consistent and repeatable manner can enable organisations to compare the relative value of different security investments over time.

Step 2: Comparison with Industry Peers

Comparing security budgets with other organisations in the industry is a good way to gauge the effectiveness of a security investment. Plus, industry-specific research helps with identifying the kind of security risks that the industry is facing within verticals, and discovering best practices to deal with specific issues and set baselines. The best way to get an unbiased analysis is to reach out to an analyst enterprise and get a detailed vertical overview.

Step 3: Assessing the Compliance Status

Compliance status is a good metric for evaluating security investments in terms of how adherent they are to the set compliance standards. Compliance status can include the findings of regular internal audits to check the alignment of processes with the required security frameworks mandated by the standard, analysis of grades on recent regulatory audits, and determination of the areas of improvement. If cyber security investments aren’t improving compliance status, companies should investigate the reason.

Step 4: Evaluating Readiness to Address Incidents

Conducting security simulations with separate teams assigned the tasks of infiltrating and defending a specific infrastructure is a good way of staying in touch with current security scenarios and identifying weak links in the security pipeline.

It also helps test the effectiveness of a security program, check the level of security awareness in the organisation and measure the performance of each IT team member. Through regular security simulations, organisations can also track performance metrics such as time taken by the team to detect and respond to attacks, and identify individuals who performed better and those who need additional training.

Performing such simulations on a regular basis can serve as a good practical metric of how cyber security investments are affecting the organisation.

Embracing Security Tools with Proven ROI

It’s tough for a single cyber security solution to solve all the security challenges of an organisation. Hence, it’s advisable that organisations adopt a layered approach to defend the entire attack surface.

Recent advancements in artificial intelligence (AI) do offer powerful cyber security solutions and are resolving some of security professionals’ biggest challenges: the sheer volume and sophistication of attacks, the dwell time of many breaches, the high rates of false positives, the resources required for incident response, and the cyber skills gap.

Moreover, with AI and automation, today’s cyber security solutions provide some of the highest cost savings opportunities. Overall, AI is extremely adept at reducing the number of security incidents. The rise of deep learning AI has already started to significantly move the needle towards pre-emption and the reduction of false positives, allowing security teams to focus on responding to only the most dangerous threats.

Automation streamlines incident management, so when an attack is detected, workflows are already documented and automated, allowing IT teams to be more productive and efficient.

The Effectiveness of Calculating Cyber security ROI

Organisations feel a growing responsibility for cyber security decisions, with regulatory, reputational, and business risk weighing heavily on the management’s mind. Add to it the dynamicity of the cyber crime landscape, where a new threat crops up every minute. Therefore, the CISO’s voice is a critical communicator of the reality of cyber risk in order to help the management to make informed cyber security decisions.

Calculating cyber security ROI helps CISOs determine the value of an offering for their unique security environment. While many organisations already have quite a few cyber tools in place, it never hurts to evaluate how effective they can prove to be, while also assessing if they’d need to invest in another solution. Once the technical due diligence is done, determining ROI gives CISOs a method for evaluating a product, prioritising among different options, and what problems it will solve.