Cybersecurity teams are stuck with justifying their “Return on Investment” as the only evidence visible is during or post an evident malware attack or a significant data breach that has been thwarted.
Estimating Cyber Security ROI is equivalent to testing parachutes or new safety harnesses. It can’t be justified until and unless the damage is actually done.
Until recently, justifying the ROI of security investment was never such a significant issue. News headlines pretty much did the job by regularly reporting all the latest breaches, ransomware attacks, or software vulnerabilities.
This helped to justify the add-on security layers to reduce the risk of their business becoming a future headline. But, now, as the world enters the new era of remote working, things have changed.
The security-first mindset is still necessary and well-perceived by board members, but budgets are constantly being scrutinized and continuously tightened. This had always been an issue even before the lockdown, but now with the need to upgrade workplaces with enhanced physical protection, things are getting even more challenging for CISOs.
The CTO and CISO make security project decisions collaboratively, meeting regularly to discuss how to balance risk and assign a justifiable budget. This is changing; security still remains essential, but the business now wants to assess and apply risk across different organizational levels.
The partnership between the CIO and CISO is also critical to ensure the right level of cybersecurity is applied to the business. Still, for the CISO, this means considering things differently. Business leaders want to understand not only how security can keep them safe, but also how it makes their enterprise more productive.
Security needs to become an outcome-driven, measurable, SLA-based consideration, and not just something that is proven to prevent breaches. To achieve this, more than basic security information needs to undergo a detailed assessment.
Data from devices, the network, and all external sources all are required to regularly refine the security deliverables into something demonstrating business value and, therefore, justifying the ROI.
Fortunately, there are areas where one can focus on achieving a more unobstructed view of security ROI. Although there is never a perfect solution to this challenge, it is simpler to create a business conversation to support future investments, considering them as a combination of risk plus consequence.
But, developing an ROI model is not easy at it takes a lot of time – it is crucial to be focused on a simple security project that will assure a high RoI to the business when proven successful.
Awareness is extremely vital in any organization, as this is where data theft, ransomware, and other attacks start. Business Email Compromise (BEC) is on a constant rise and, according to some reports, could have been accountable for almost 50% of 2019 cybercrime losses just in the US alone.
Only presenting deliverables or technical metrics can make it hard for the security team to communicate their business value precisely, resulting in held up projects or even project cancellation altogether.
But, ultimately, it all boils down to business risk appetite and establishing a significant number to demonstrate the maturity to assist with future investments.
ROI of cybersecurity investments can be defined by:
- Agreeing on clearly pre-defined, risk-based KPIs for security.
- Understanding how the business wishes to address risk at all organizational levels – delivering a clear message is crucial to balance risk against the speed of innovation versus the customer experience.
- Risk is the ultimate responsibility for businesses, not just the security team. Ensure that there are security KPIs against all different business leaders and not just limited to the CISO or CIO.
These pointers are no way exhaustive but can prove to be a strong starting point.
While establishing and comprehending ROI for security may seem challenging at first, the route to success starts with small and clearly stated project goals. Expecting 100% accuracy could prove to be unrealistic – but it could be achieved over time as more data improves the model, which in return provides the ability to strongly demonstrate security ROI to the business.