Measuring Cybersecurity ROI Part 1: The Value of Mitigating Risk

Measuring Cybersecurity ROI Part 1: The Value of Mitigating Risk

CISOs and their teams face a daunting task fending off cybersecurity threats, which at present number in the hundreds of millions. But security leads also have to deal with a challenge that can be equally frustrating – articulating the value of their operations to leadership.

 

The root of the issue is the difficulty in making the case for security as a competitive strategic advantage. Leadership often sees cybersecurity in negative terms – as a “necessary evil” or sunk cost. In this view, it adds nothing to the bottom line, and a lack of senior-level buy-in can marginalize the security operation. (Computer Weekly)

 

Many CISOs don’t have a “seat at the table” and often report difficulty securing the necessary budget to safeguard the company. As one CISO puts it, “traditionally, boards have prioritised sales, HR and customer services above IT security because they do not consider security as having any strategic value or they do not see cyber risk on the same level as other forms of business risk.”

 

In this environment, it becomes especially difficult to cultivate a security culture, which is essential to mitigating the human element in the risk equation. Twenty-seven percent of respondents in a recent study said “a lack of senior executive buy-in or understanding” is one of the primary factors inhibiting a strong culture of cybersecurity. (Security Magazine)

 

That culture may sound like it’s hard to quantify – after all, you can’t really count culture – but culture drives patterns of behavior which can be shown, via red team exercises, to substantially drive up the cost of penetration, making the organization a far less attractive target for cybercriminals. (Security Magazine)

 

Another major problem with the general undervaluation of cybersecurity is it impedes development of a productive, proactive security strategy. Nearly two-thirds of UK IT decision makers say their security program is “continuously reactive due to constantly changing legislation, threats, and other external factors.” (HelpNet Security) This means the cybersecurity program is dictated, post facto, by the landscape instead of the organization’s business objectives.

 

Thinking about ROI

 

Admittedly, it’s easier to talk about ROI for “positive” initiatives – ones that drive clear, identifiable revenue – than “negative” ones, where only the expenditures are obvious and quantification appears to hinge on understanding things that didn’t happen.

 

Still, it’s critical that CISOs and their C-Suite colleagues be able to discuss security initiatives in a shared language. This means the security team needs to find ways of expressing their value in business terms.

 

As it turns out, fully articulating cybersecurity ROI involves a comprehensive look at both the positive and negative.

 

First, the obvious: cybersecurity absolutely is a cost of doing business. (CS Hub) A huge piece of cybersecurity’s value rests with its ability to prevent breaches, and that risk can’t be overstated. A recent Cisco study predicted cybersecurity will drive and safeguard “an estimated $5.3 trillion in private sector digital Value at Stake in the next 10 years,” and the average cost of a data breach is roughly $4 million. It’s not hyperbole to say many businesses are a hack away from existential catastrophe. (Business2Community, CS Hub)

 

So, how to state the ROI for prevented breaches?

 

As RTSP Magazine explains, “ROI should be based on how much loss the organization could avoid due to the investment.” Their analysis relies on the SANS Institute’s Return on Security Investment (ROSI) framework. (ITSP Magazine)

 

Quantitative Risk Assessment Formula Image

 

Where:

 

  • Annualized Loss Expectancy (ALE) = estimated loss from a single security incident x annualized rate of occurrence
  • Mitigation Ratio (approximate) = predicted number of mitigated risks (determined by organization)
  • Cost of Solution = all costs associated with solution purchase, implementation and maintenance

 

The first two-thirds of that equation can be fuzzy, but tools – such as the FAIR framework – exist to inform the quantification of risk. (WeForum)

 

In part 2 we address cost savings and the value of cybersecurity in the M&A process.

 

Sources

 

Doug Drew
Doug Drew represents more than 20 years of cybersecurity business, technical and leadership experience in roles ranging from incident response, PCI practice lead, security program consulting and staff augmentation CISO.