Skip to main content

Measuring Cybersecurity ROI Part 1: The Value of Mitigating Risk

December 04, 2019

CISOs and their teams face a daunting task fending off cybersecurity threats, which at present number in the hundreds of millions. But security leads also have to deal with a challenge that can be equally frustrating – articulating the value of their operations to leadership.

The root of the issue is the difficulty in making the case for security as a competitive strategic advantage. Leadership often sees cybersecurity in negative terms – as a “necessary evil” or sunk cost. In this view, it adds nothing to the bottom line, and a lack of senior-level buy-in can marginalize the security operation. (Computer Weekly)

Many CISOs don’t have a “seat at the table” and often report difficulty securing the necessary budget to safeguard the company. As one CISO puts it, “traditionally, boards have prioritised sales, HR and customer services above IT security because they do not consider security as having any strategic value or they do not see cyber risk on the same level as other forms of business risk.”

In this environment, it becomes especially difficult to cultivate a security culture, which is essential to mitigating the human element in the risk equation. Twenty-seven percent of respondents in a recent study said “a lack of senior executive buy-in or understanding” is one of the primary factors inhibiting a strong culture of cybersecurity. (Security Magazine)

That culture may sound like it’s hard to quantify – after all, you can’t really count culture – but culture drives patterns of behavior which can be shown, via red team exercises, to substantially drive up the cost of penetration, making the organization a far less attractive target for cybercriminals. (Security Magazine)

Another major problem with the general undervaluation of cybersecurity is it impedes development of a productive, proactive security strategy. Nearly two-thirds of UK IT decision makers say their security program is “continuously reactive due to constantly changing legislation, threats, and other external factors.” (HelpNet Security) This means the cybersecurity program is dictated, post facto, by the landscape instead of the organization’s business objectives.

Thinking about ROI

Admittedly, it’s easier to talk about ROI for “positive” initiatives – ones that drive clear, identifiable revenue – than “negative” ones, where only the expenditures are obvious and quantification appears to hinge on understanding things that didn’t happen.

Still, it’s critical that CISOs and their C-Suite colleagues be able to discuss security initiatives in a shared language. This means the security team needs to find ways of expressing their value in business terms.

As it turns out, fully articulating cybersecurity ROI involves a comprehensive look at both the positive and negative.

First, the obvious: cybersecurity absolutely is a cost of doing business. (CS Hub) A huge piece of cybersecurity’s value rests with its ability to prevent breaches, and that risk can’t be overstated. A recent Cisco study predicted cybersecurity will drive and safeguard “an estimated $5.3 trillion in private sector digital Value at Stake in the next 10 years,” and the average cost of a data breach is roughly $4 million. It’s not hyperbole to say many businesses are a hack away from existential catastrophe. (Business2Community, CS Hub)

So, how to state the ROI for prevented breaches?

As RTSP Magazine explains, “ROI should be based on how much loss the organization could avoid due to the investment.” Their analysis relies on the SANS Institute’s Return on Security Investment (ROSI) framework. (ITSP Magazine)

Quantitative Risk Assessment Formula Image

Where:

  • Annualized Loss Expectancy (ALE) = estimated loss from a single security incident x annualized rate of occurrence
  • Mitigation Ratio (approximate) = predicted number of mitigated risks (determined by organization)
  • Cost of Solution = all costs associated with solution purchase, implementation and maintenance

The first two-thirds of that equation can be fuzzy, but tools – such as the FAIR framework – exist to inform the quantification of risk. (WeForum)

In part 2 we address cost savings and the value of cybersecurity in the M&A process.

Sources


    Doug Drew

By: Doug Drew

See More

Related Blogs

July 24, 2019

Closing the People, Processes and Technology Gap: How Innovation Can Strengthen Your Cybersecurity Program

Learn how to achieve the right combination of people, processes and technology to evolve your cybersecurity program.

See Details

December 23, 2014

Total Cost of 0wn3r$h!p

It is becoming both difficult and boring to keep up with all of the breaches hitting the headlines these days. It is difficult because of the ever inc...

See Details

July 31, 2019

Cybersecurity Lapses Can Derail the M&A Train

Typical M&A concerns include overpaying for an acquired company and assimilating cultures. Executives often spend less time worrying about cybersecuri...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.