Return on investment: It's the only number many executives care about when weighing the impact of their business decisions. While this may work for many decisions, when it comes to cybersecurity investments emphasizing ROI is a surefire way to get enterprise-grade security wrong.
It's easy to be tricked into thinking otherwise. Many security vendors offer ROI estimates on their products. They seek to assuage budget-conscious businesses that must somehow find a way to thrive despite unprecedented threats, including sophisticated malware bots that exploit zero-day vulnerabilities. One look at the staggering Equifax breach—145.5 million accounts compromised by way of 30 backdoor exploits in a customer service portal of the credit scorer's website—should be enough to give any data security professional chills.
But these incidents highlight exactly why ROI on security products is not the end goal. When security protocols are breached, the results could cost a lot of money or even destroy the company altogether. Enterprise security investments are all about preventing loss, not money-making, and there are many factors that should go into maintaining a strong security posture as an organization. These range from business operations to customer interaction.
With an understanding of the importance of these factors comes a realization that measuring the ROI on any security product is nearly impossible. Here are three ways to ensure that your company's security investments are maximized.
1. It's not about safeguards—it's about the culture
Most enterprise-grade security products on the market can handle threats. But even the most powerful tools available don't mean much if the company that buys them doesn't maintain a robust culture of security.
It's easy to identify an email from a "Nigerian prince" as a scam. But social engineering has grown by leaps and bounds since the early days of the Internet. Now it's much more likely that the email address of your co-worker down the hall is being spoofed to get employees to click on links that look completely legitimate.
Having a culture that understands how threats are manifesting can prevent breaches from occurring in the first place.
2. Educate your business on cyber-risk fallout
Effective training needs to go well beyond a few sessions with the IT department or an outside vendor in which the latest trends in security and how to mitigate risk are discussed. One of the most powerful ways to instill a strong security culture is through war-gaming—playing out the threats that could likely occur and determining the roles of all employees in detecting, communicating, mitigating, and cleaning up after an incident.
A new business is getting hacked every day, and yet only 3% of companies with digital business practices have conducted a war game. By building out these scenarios, businesses not only gain insight into a breach's impact and losses, but become better prepared for a real incident. This effectively increases the ROI without changing any parameter of the purchase.
3. Look at annual loss expectancy
But what about the executive who simply must have facts and figures? Unfortunately, there isn't great data on mitigating the security of an attack so businesses can measure against it. This reporting is not systematic and instead is rather ad-hoc, treated differently by different industries.
But there is one place to turn: annual loss expectancy. This figure results from multiplying the annual rate of incident occurrence with the annual loss expected. Most businesses can gain an understanding of what a one-time loss would cost them—whether it's from a downed server or a period of no revenue. Then, somewhat harder, they must gauge the likelihood that an event will occur in the next year.
Businesses can get a baseline measurement to quantify their cyber losses, but they must remember that hacks can have widespread effects beyond the initial breach. Customers could lose confidence in the brand and never return. The media could latch onto the story and cast the company's response in a negative light, leading to downward stock prices.
Annual loss expectancy cannot overcome all of these factors, especially in the world of cybersecurity, where there is hardly enough public data to help a business gauge its potential for loss, but it's a good starting place for estimating risk.
An educated guessing game
Trying to tie security purchases to ROI is a red herring. Even more important than the security investments they make is the culture of risk mitigation they create—which comes at little cost. But for those still adamant on finding a way to quantify risk, understanding the cost and likelihood of a breach will prove more powerful than pinning a security budget to ROI.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
