Four Steps to Defining Cybersecurity ROI
Ever faced these chilling words from your boss or the board when proposing a cybersecurity investment: “What’s the ROI?”
When trying to justify a new security tool or service, additional headcount, process change, or bigger budget, the topic of Return On Investment (ROI) will come up. It always does.
The problem is, most cybersecurity investments typically do not do any of the things that the financial folks are looking for. Does it make you money? Probably not. Does it cost you money? Well, yeah. Does it save you money? Now this is where you can really shine with your proposal.
In cybersecurity, we typically are thinking about lowering risk to the organization. We want to reduce the chances of something bad happening, or at least mitigate the impact in case something bad does happen. This is why we have things like anti-malware software and IDS/IPS and firewalls, and why we pay people to deploy and manage them. Plus, implementing the appropriate cybersecurity requirements will reduce risk, and can be a differentiator as you are able to demonstrate how you securely do business with your customers.
To justify this cybersecurity investment, we need to be able to quantify that risk mitigation and value add to the business. Here’s how:
Step 1: What are you trying to protect?
It’s critical to understand and communicate what you are trying to protect. Classify your information assets according to the Confidentiality, Integrity, and Availability (CIA) model. Are you attempting to protect Personal Identifiable Information (PII)? Safeguarding intellectual property or research data? Financial records? All of the above?
One of the best ways to start is to create an asset repository. Classify your data, equipment, and other digital assets, based on financial, operational, cybersecurity, regulatory, and legal impact – and get executive-level agreement on your work. Once you understand what you are trying to protect, then you can attach a value to it – and a cost exposure if your assets are no longer confidential, are no longer reliable, or are no longer available. This is your Business Impact Analysis (BIA), an exercise that clearly quantifies the potential impact of any disruptive events.
Step 2: What will it cost to protect it?
The next step is to estimate the costs and benefits of your program. Costs will include the direct and indirect expenses of your solutions: things like hardware and software expenditure, licensing, managed service arrangements, implementation costs, staffing, training, operational costs and so on. Be sure to clearly articulate the one-time and recurring costs to get an accurate short- and long-term view and the total value of the investment required.
Step 3: Gather your metrics.
Metrics will assist in measuring key risk, compliance, and performance indicators and overall posture of your cyber program. Develop metrics that can help to quantify the impact of cybersecurity investments, such as the number of security incidents, the mean time to detect and respond (MTTD and MTTR respectively), system response time, or number of phishing emails clicked. Some industries have benchmarks to follow; consider these metrics in your environment, and use the benchmarks as targets. You can even use metrics like level of compliance and audit readiness, depending on the maturity of your cyber programs. Above all, make sure the metrics are understandable. For example, instead of simply saying that you are 98% patched, explain that you are 98% patched on 3,000 devices. This provides clarity context and scope for your audience, and makes it easier to measure performance and overall ROI.
Step 4: Shake Well and Serve
Once you have these elements in place, you can start to build out ROI based on the metrics, risks mitigated, and potential competitive advantage identified. How will your program reduce the number of security incidents, or reduce the number of phishing emails clicked? Set realistic targets over time. And with your BIA and your cost breakdowns documented, you can start to develop ratios of impacts, benefits, and costs that illustrate your case, and give you a roadmap for continuous improvement in a quantifiable way – and (ideally!) proof down the road that your projects are successful. You can also leverage these measurements to give you a competitive advantage over the competition, using them to help differentiate the security of your organization, your products, and your services.
Where to get help?
- Depending on the size of your organization, you may be able to leverage your in-house audit or compliance teams. These groups are aligned with your broader goal of managing or mitigating risk; they may be able to support and assist your development of a compelling business case.
- Are there user groups, customer advisory boards, or even industry associations dealing with the same challenges you are facing? Speak to them to see how they have secured funding for their cybersecurity projects. This approach offers dual benefits: first, you may gain knowledge on how others were able to justify the investment and construct an ROI case; secondly, you may be able to build your network to share information on other initiatives.
- Leverage your networks. This can be your internal network of colleagues, or external contacts with whom you have a strong relationship. Seek out a mentor in senior management or on the leadership team: learn their language, ask them to review your business case and provide feedback to you.
- Talk to the vendor of the tools, services and processes that you are looking to purchase and implement. Ask them if they have resources or ROI calculators that you could use. These resources should consider people, process and technology as applicable. Most will have customer success stories that you can map to your own use cases and organizational requirements.
Moving forward
Cybersecurity should be seen as a business enabler, and can introduce efficiencies when implemented and supported appropriately. Using this approach and these resources should increase your chances of success in demonstrating ROI and building a compelling business case for your cybersecurity projects. It is only natural for business leadership to prefer investments with clearly articulated ROI over expenses, so they will more easily embrace a new cybersecurity expenditure when it is positioned as an investment that can result in a competitive advantage.
If you have questions or your own examples of ROI metrics, please share them!