For those of us who work in cybersecurity, the term “Return on Investment” (ROI) has no doubt made for awkward conversations. The solutions we work with have a return, but one that is commonly only evident during a malware attack or after a data breach has been thwarted. (Defending)
Like testing parachutes or evaluating new safety harnesses, performing a live demonstration to show the power of a solution is not comfortable for any security professional.
Until recently, proving the ROI of security investment has not been a significant issue. Headlines pretty much did the job for us. Newspaper articles and online reports of the latest breach, ransomware or software vulnerability made it easier to justify the need for additional layers of security to reduce the risk of our own business becoming a future headline. But this was before we entered the new era of remote work we are in today.
The security-first mindset is still necessary and well-understood by board members, but budgets are constantly being scrutinized and tightened. This was true before the workplace became largely remote, but even more so now that we will soon need to upgrade workplaces with enhanced physical protection for those people who do need to get back into an office.
The CISO and CTO make security project decisions, meet regularly and discuss how to balance risk and assign a budget, with risk usually carrying enough additional weight to gain approval. This is changing; security is still essential, but the business now wants to assess and apply risk at different levels across the company. For example, a public-facing web server holding product datasheets would need less security than a server hosting developer code for upcoming product releases.
The partnership between the CISO and the CIO is critical for ensuring the right level of cybersecurity is applied to the business. Still, for the CISO, this means thinking differently. It is not enough to demonstrate protection statistics or the number of phishing emails that can be blocked. Business leaders want to know not only how security keeps them safe, but also how it makes their business more productive.
The Proof is in the Pudding
Security needs to become a measurable, outcome-driven deliverable and not just something proven following the prevention of a breach. To achieve this, more than just security information needs to be assessed. Data from devices, the network and external sources all are required to refine the security deliverables into something which demonstrates business value and, therefore, prove ROI.
Fortunately, there are areas where we can focus on achieving a more unobstructed view of security ROI. Although there is no one perfect solution to this challenge, it is easier to create a business conversation to support future investments, if considered as a combination of risk plus consequence.
Developing an ROI model takes time – my recommendation would be to focus on a simple security project that will return high value to the business when proven successful. Demonstrating that it is possible to show a return will help the team in developing a model for more complex solutions.
Demonstrating ROI Through Security Awareness
Awareness is vital in any organization, as this is where ransomware, data theft and other attacks start. Business Email Compromise (BEC) is on the rise and, according to some reports, could have been accountable for up to 50% of 2019 cybercrime losses just in the United States.
It is important to note that security software cannot always prevent a BEC; this form of attack is becoming smarter and better targeted, meaning that more will successfully find a way to the user’s inbox. On average, 35% of users will still click on a phishing link, accoding to a 2019 report from the JAMA Network Open.
These statistics speak for themselves – security awareness training should be a component in any security program and could reduce future BEC risk. But how can we make the case for the spend?
• Run a penetration test that uses a business email compromise to target internal users, getting them to click on a link potentially containing malware.
• For every 1,000 users, around 35% will click on the link. That may seem high, but corporate users often feel protected at work and this can make them more susceptible to attack.
Using this data, we see the test successfully phished 350 users. Had this been a real-world campaign, these users could have cost the business up to $75,000 in damages per click. For just a few dollars per user, regular online security awareness training seems well worth the cost.
Training is a straightforward example. Other IT projects where a simple ROI can be developed include adding features to endpoint security, introducing encryption technologies or better securing Wi-Fi authentication.
My advice would be to avoid more complex projects, such as firewall upgrades, until the security ROI process is better understood by everyone. Only presenting technical metrics or deliverables can make it hard for the security team to communicate the business value clearly, resulting in held up projects or even cancellation altogether.
Recipe for ROI
In short, yes, it can be achieved. But it all comes down to business risk appetite and establishing a significant number that demonstrates maturity to help with future investments. Here is my recipe for security ROI:
• Agree on clearly defined, risk-based KPIs for security. These provide the data to leverage in the development of ROI for projects.
• Understand how the business wants to address risk. Every new change carries the potential for new threats and a clear message is needed to balance risk against the speed of innovation and customer experience.
• Risk is a responsibility for the business, not just the security team. Ensure that there are security KPIs against different business leaders and not just the CISO or CIO.
The above list is not exhaustive, but a strong starting point. Another critical piece is that the establishment of security KPIs across the business means that business leaders are all invested in making the best decision on any project.
While establishing and understanding ROI for security may seem challenging, the route to success starts with small and clearly defined projects. Do not immediately expect 100% accuracy – this will come over time as more data improves the model, which in turn provides the ability to demonstrate security ROI to the business.