What is the return on investment (ROI) for an enterprise IT security budget? This is a question that CISOs, CIOs, CTOs, and other persons tasked with cybersecurity budgetary responsibility worry about when they present their procurement proposal to their CFOs and CEOs.
Businesses make spending decisions based on expected ROI. If the company spends $1 million on developing a new product, management expects to earn millions of dollars in profit. If the business acquires a new IT system for $10 million, there’s an expectation of at least tens of millions of dollars in efficiency improvements.
But if you are going to spend $5 million on IT security, how do you determine the ROI? How do you calculate which solution is going to give you the highest return for each dollar spent? ROI is in itself a fairly straightforward concept. The key challenge is that IT security investments don’t directly lead to an increase in revenues or offer an obvious financial return. Therefore, a different type of calculation is necessary.
There are quantitative and qualitative techniques for computing IT security budget ROI. Here’s a look at five of these.
1. SANS Institute’s return on security investment (ROSI)
This technique is represented by the formula:
ROSI = ((Annualized Loss Expectancy) multiplied by (Mitigation Ratio) less (Cost of Security Solution)) all divided by Cost of Security Solution
Here’s a look at its constituent parts.
Annualized loss expectancy (ALE)
This refers to the financial losses an organization is likely to experience from one security incident multiplied by the estimated number of times that threat may strike during the said year. You could obtain the average cost of a security incident in a given industry by looking at cybersecurity reports from reputable organizations. A study by Kaspersky Lab, for instance, found that the financial loss for SMBs from one incident averaged $38,000.
The ALE is, to a great extent, an exact figure, whereas the mitigation ratio is more of an estimate. The best way to approach the mitigation ratio is by assessing mitigated risks as per the internal general risk scoring mechanism defined by the organization itself and then determining how much that risk will be reduced by the IT security solution. For example, if the enterprise is buying a solution that’s meant to lower ransomware risk by 80 percent, then the mitigation ratio for this risk is 80 percent.
Cost of IT security solution
The cost of an IT security solution refers to all the expenses that come with its purchase, implementation, and maintenance. It matters because irrespective of how good a solution is, an exorbitantly high cost could negate the value of the investment if it isn’t commensurate with the mitigated risk.
2. BCG Platinion’s change in expected loss
Another approach to calculating IT security ROI is a methodology developed by BCG Platinion, a subsidiary of Boston Consulting Group. It uses the change in expected loss to calculate investment return. The expected loss is calculated by multiplying the probability of compromise by the impact of compromise. The ROI of an IT security solution would be the expected loss before the solution less expected loss after the solution, all divided by the cost of the solution.
Probability of compromise
The probability of compromise is a factor of threats versus vulnerabilities. Calculating it begins with defining the steps of a cyberattack. They are: reconnaissance, initial compromise, establishing foothold/escalating privileges, moving laterally/maintaining presence, gathering data, and completing the mission. Assign a probability to the likelihood of each of these steps being completed successfully during an attack while bearing in mind the controls and systems put in place to mitigate the risk. The probability of compromise is the individual probabilities of each of the six steps occurring.
Impact of compromise
There are five types of impact that could affect virtual and physical assets after a cyberattack. These are disclosure, direct theft, modification, disruption, and destruction. You can assign a value to these different impacts on each asset and determine what impact occurs when one form of attack degrades a given asset in any of these ways. The impact of a compromise is, therefore, the losses in an asset following a compromise.
3. Comparison against industry peers
An organization doesn’t exist in a vacuum. And while the combination of specific threats targeting it may be unique, the individual threats are unlikely to be different from those attacking its peers. So, comparison of security strategy and security budget to industry peers can be a valuable technique of gauging IT security budget ROI.
Industry peers may not necessarily divulge this information to a rival organization. Fortunately, you can find useful industry-specific research and market analysis. Such research and analysis could also highlight the specific threats for your vertical, determine baselines, and detail best practices.
4. Compliance status
If an organization is subject to a new IT security regulation or standard, or if it wants to better its compliance with existing laws, compliance status is a powerful metric for gauging security investment ROI. Compliance status can be evaluated based on routine internal audits, third-party audits, and regulatory audits.
If an investment isn’t bettering the compliance status as documented in audits, then it’s likely not delivering the IT security budget ROI it should.
5. Improvement in incident response readiness
Organizations can check the quality or improvement of their incident response by running a security simulation after deploying the IT security solution. They can keep tabs on metrics such as the amount of time required to detect and respond to an incident. By comparing the results of the current simulation with the ones done before the procurement of the solution, enterprises can quantify ROI.
IT security budget ROI is CFO/CEO language
Organizations, irrespective of how large, have limited financial resources. ROI is a rational means for determining where these limited resources should be allocated for optimal return. Done properly, computing or estimating ROI will provide practical, actionable data on how well an IT security investment is working. It allows the organization to objectively identify new security investments and areas that need larger budgetary allocation.
If you are going to speak to the CFO and CEO about money, speak in a language that they understand and relate to if you want to get what you need. A presentation on the dangers of keyloggers won’t do much if you cannot correlate it to the business’ bottom line. Demonstrating your IT security budget ROI will help you do just that.
Featured image: Pixabay