CISOs and Board members face a balancing act as they look to build out strong security programs. What tools are truly worth the investment versus the costs of a damaging cyber attack? Though well-known, the potential repercussions of a data breach are still alarming. By some estimates, cybercrime damages are set to reach $6 trillion by 2021.
For both CISOs and Board members a thorough cybersecurity strategy is a critical way to address risk and promote business health and longevity. The risks at stake, in addition to regulatory scrutiny as well as compliance concerns - think GDPR - are motivating Boards to take a closer look, and they’re turning to CISOs for insight. The challenge for CISOs is selecting the best tools from a sea of offerings, and then working with the Board and senior execs to deploy them within the organization.
By calculating cybersecurity ROI, CISOs can quantify the value of a new security project to Board members, demonstrate how it aligns with the business’ overall strategic goals, and foster faster decision-making.
Calculating ROI for Cybersecurity
At a basic level, one way of calculating cybersecurity ROI involves taking the average cost of an incident and multiplying that number by how many incidents a business might experience in a given time frame. With an approximation of potential costs, companies can then assess whether the price of the solution and the reduction in incidents it will bring is worth the investment.
Of course, there are many more factors that come into play, which is why calculating cybersecurity ROI is notoriously challenging. The equation also has to represent issues at stake beyond dollars and cents, including potential loss of intellectual property, loss of reputation, and business disruption. There are numerous formulas for calculating cybersecurity ROI, and much research has been done on the subject. How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen is a highly-recommended resource for an in-depth exploration.
The bottom line is that breaches are expensive. Calculating cybersecurity ROI starts a conversation about whether investing upfront to prevent a major disruption outweighs the small probability of a significant breach and its ensuing costs.
Benefits of Calculating Cybersecurity ROI
CISOs and boards benefit from calculating cybersecurity ROI as it helps them determine the value of an offering for their unique security environment. Many organizations already have upwards of twenty cyber tools in place. Why invest in another? Vendors regularly contact CISOs with solutions claiming to be the answer for new and emerging attack methods. Once the technical due diligence is done, determining ROI gives CISOs a method for evaluating a product, prioritizing among different options, determining what level of peace of mind it will bring, and what problems it will solve.
The next step for CISOs is to communicate their rationale to the board. Executives feel a growing responsibility for cybersecurity decisions, with regulatory, reputational, and business risk weighing heavily on their minds. The CISO’s voice is critical for communicating the reality of cyber risk and providing the leadership team with the information they need to make informed cybersecurity decisions. CISOs understand the board’s motivations and concerns and dedicate more time to craft a message that clearly articulates how cybersecurity fits into overall business strategy.
Embracing Security Tools with Proven ROI
No single cybersecurity solution can solve all of an organization’s security challenges. A layered approach is the best way to defend the entire attack surface. Recent advances in cybersecurity technology do offer powerful ROI and are resolving some of security professionals’ biggest challenges: the sheer volume and sophistication of attacks, the dwell time of many breaches, the high rates of false positives, the resources required for incident response, and the cyber skills gap.
Artificial intelligence (AI) and automation provide some of the highest cost savings opportunities in comparison to other technologies. Overall, AI is extremely adept at reducing the number of security incidents. As attackers begin to adopt AI, organizations that already have AI-based tools in place will be better able to stop them. In the immediate term, the rise of deep learning AI has already started to significantly move the needle towards preemption and the reduction of false positives, allowing security teams to focus on responding to only the most dangerous threats.
Automation streamlines the management of incidents that do penetrate a company’s defenses. When an attack is detected, workflows are already documented and automated, allowing IT teams to be more productive and efficient.
The cybersecurity landscape is truly complex. At CyVent, our mission is to support CISOs as they select and sort through the different offerings on the market. Calculating cybersecurity ROI helps prepare for the coming environment where the fight will be AI vs AI and companies that do not have the appropriate AI talent and tools may be at a disadvantage.
If you have questions about the tools on the market, we’re here with guidance and advice. Get in touch with our team.