3 ways to gauge enterprise security success

Return on investment: It's the only number many executives care about when weighing the impact of their business decisions. While this may work for many decisions, when it comes to cybersecurity investments emphasizing ROI is a surefire way to get enterprise-grade security wrong. 

It's easy to be tricked into thinking otherwise. Many security vendors offer ROI estimates on their products. They seek to assuage budget-conscious businesses that must somehow find a way to thrive despite unprecedented threats, including sophisticated malware bots that exploit zero-day vulnerabilities. One look at the staggering Equifax breach—145.5 million accounts compromised by way of 30 backdoor exploits in a customer service portal of the credit scorer's website—should be enough to give any data security professional chills.

But these incidents highlight exactly why ROI on security products is not the end goal. When security protocols are breached, the results could cost a lot of money or even destroy the company altogether. Enterprise security investments are all about preventing loss, not money-making, and there are many factors that should go into maintaining a strong security posture as an organization. These range from business operations to customer interaction.

With an understanding of the importance of these factors comes a realization that measuring the ROI on any security product is nearly impossible. Here are three ways to ensure that your company's security investments are maximized.

State of Security Operations 2017

1. It's not about safeguards—it's about the culture

Most enterprise-grade security products on the market can handle threats. But even the most powerful tools available don't mean much if the company that buys them doesn't maintain a robust culture of security.

It's easy to identify an email from a "Nigerian prince" as a scam. But social engineering has grown by leaps and bounds since the early days of the Internet. Now it's much more likely that the email address of your co-worker down the hall is being spoofed to get employees to click on links that look completely legitimate.

Having a culture that understands how threats are manifesting can prevent breaches from occurring in the first place.

2. Educate your business on cyber-risk fallout

Effective training needs to go well beyond a few sessions with the IT department or an outside vendor in which the latest trends in security and how to mitigate risk are discussed. One of the most powerful ways to instill a strong security culture is through war-gaming—playing out the threats that could likely occur and determining the roles of all employees in detecting, communicating, mitigating, and cleaning up after an incident.

A new business is getting hacked every day, and yet only 3% of companies with digital business practices have conducted a war game. By building out these scenarios, businesses not only gain insight into a breach's impact and losses, but become better prepared for a real incident. This effectively increases the ROI without changing any parameter of the purchase.

3. Look at annual loss expectancy

But what about the executive who simply must have facts and figures? Unfortunately, there isn't great data on mitigating the security of an attack so businesses can measure against it. This reporting is not systematic and instead is rather ad-hoc, treated differently by different industries.

But there is one place to turn: annual loss expectancy. This figure results from multiplying the annual rate of incident occurrence with the annual loss expected. Most businesses can gain an understanding of what a one-time loss would cost them—whether it's from a downed server or a period of no revenue. Then, somewhat harder, they must gauge the likelihood that an event will occur in the next year.

Businesses can get a baseline measurement to quantify their cyber losses, but they must remember that hacks can have widespread effects beyond the initial breach. Customers could lose confidence in the brand and never return. The media could latch onto the story and cast the company's response in a negative light, leading to downward stock prices.

Annual loss expectancy cannot overcome all of these factors, especially in the world of cybersecurity, where there is hardly enough public data to help a business gauge its potential for loss, but it's a good starting place for estimating risk.

An educated guessing game

Trying to tie security purchases to ROI is a red herring. Even more important than the security investments they make is the culture of risk mitigation they create—which comes at little cost. But for those still adamant on finding a way to quantify risk, understanding the cost and likelihood of a breach will prove more powerful than pinning a security budget to ROI.

State of Security Operations 2017
Topics: Security