A One-Two Punch for Security ROI – Source: www.securityweek.com

Traditionally, as an industry, we rely heavily on metrics like the cost of a data breach as a tool to discuss return on investment (ROI). Third-party data provides a level of credibility when engaging in discussions about the need for specific capabilities to prevent specific types of attacks and avoid losses. But when decision makers start to dig a little deeper invariably questions arise, and pushback happens, like “what are the odds of that happening to us?” or “we aren’t that big”. It can be a stretch for decision makers to internalize the data and believe that it is relevant to them and their organization. Cost avoidance is not tangible for several reasons.

Challenges with cost avoidance

An in-depth study by CISA on the “Cost of a Cyber Incident: Systematic Review and Cross-Validation” discussed some of the challenges with gathering credible data on the cost of an incident. These include:

• Relying on historical data. Only a fraction of successful attacks is publicly disclosed. Convenience sampling is not statistically representative. There is no way to know how many incidents went unreported and how they varied in type, size, scope, and impact from the sample used.
• Extrapolating future potential losses. Adversaries adapt to changes in the cybersecurity environment and also shift their focus from one industry to another, which makes it extremely difficult to use historical data for future insights.
• Variations in methodology. Estimates vary widely from one cost analysis to another based on the size of the target organization, their industry and region, as well as the regulatory environment and penalties. Additionally, “softer” factors such as reputational damage may be included in total costs, but how those factors are measured often isn’t clear.
• Likelihood of the incident. Making the case for investment based solely on cost avoidance is amorphous because that data breach or specific type of incident may not happen to that organization, much less in a way that directly maps to how the cost was calculated.

Despite these challenges, cost avoidance is a powerful way to kick-off the ROI discussion. However, to quickly move beyond objections, shifting to a more tangible approach to calculate ROI can help.

Getting to tangibility

As security automation has gained traction and the cybersecurity skills shortage persists, now’s the time to lean into an ROI discussion based on how to do more with less. Use cases provide a tangible way to quantify what an organization can achieve with a specific solution because they can be:

• Aligned with the organization’s priorities. There are several common use cases, including spear phishing, threat hunting, incident response, and vulnerability management. Starting with one or two use cases that are important to the organization helps focus the discussion on the high priority areas decision makers see value in addressing quickly.
• Customizable to the organization. Each use case can be broken down into the activities required to address that use case and the cost of the resources involved. For example, the number of full-time equivalent personnel, the fully loaded hourly rate and the hours involved in completing the required activities prior to investing in a new solution provides the baseline. Then, calculating the resources needed with the addition of the new solution provides the financial return on that investment – including both efficiency and effectiveness gains. Transparency into that calculation and flexibility to adapt it to a specific organization and environment provides meaningful, highly relevant data.  
• Measurable. ROI can be difficult to track on an ongoing basis. The transparency of a use case-based approach helps facilitate this. Consistent metrics might include the time to detect and respond, time to resolution, or percentage of high-priority vulnerabilities patched or mitigated. Additionally, tracking and reporting on the impact on security teams is also important. Valuable metrics to consider include a reduction in the need to staff up, or time saved that has allowed analysts to pivot to more strategic initiatives or be more proactive in other areas.

It’s easy to talk about ROI in terms of avoiding the cost of a data breach. Regardless of methodology, the numbers are staggering. But cost avoidance cannot stand alone. When used in combination with tangibility the two approaches can serve as a one-two punch to deliver a more compelling case for additional cybersecurity investments. It’s good for the industry, good for organizations, and good for security teams.