CISOs and Board members face a tough balancing act as they look to build out stronger security programs. What tools are truly worth the investment versus the costs of a damaging cyber attack? Though well-known, the potential repercussions of a data breach are still alarming. According to a recent IBM report, compiled with data from 500 organizations, data breaches cost $4.24 million per incident on average. It’s the highest cost in the 17-year history of the report.
For both CISOs and board members a thorough cybersecurity strategy is a critical way of dealing with risks and promoting business health and longevity. This is even more critical at a time when, gradually, security incidents become more sophisticated, difficult to fight and harder to contain due to increased complexity of attacks as well as operational issues, such as increased remote work.
The risks at stake, in addition to regulatory requirements as well as compliance concerns - think GDPR - are motivating boards to take a closer look, and they’re turning to CISOs for insight. The challenge for CISOs is to choose the best combination of tools from a myriad of offers, and then, working with the board and senior execs to deploy them within the organization.
By calculating cybersecurity ROI, CISOs can quantify the value of a new security project to board members, show how it is aligned with the business’ overall strategic goals, and promote faster decision-making.
Calculating ROI for Cybersecurity
At a basic level, one way of calculating cybersecurity ROI involves taking the average cost of an incident and multiplying that number by how many incidents a business might experience in a given time length. With an approximation of potential costs, companies can then assess whether the price of the solution and the reduction in incidents it will bring is worth the investment.
Of course, there are many more factors that come into play, which is why calculating cybersecurity ROI is notoriously challenging. The equation also has to represent issues at stake beyond dollars and cents, including potential loss of intellectual property, and business disruption. In addition, companies need to take into account the cost of reputation, downtime and legal costs. Another factor is the increasing cases where hackers charge a ransom amount for ransomware cases.
There are numerous formulas for calculating cybersecurity ROI, and much research has been done on the subject. How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen is a highly-recommended resource for an in-depth exploration.
The bottom line is that breaches are expensive. Calculating cybersecurity ROI starts a conversation about whether investing upfront to prevent a major disruption outweighs the small probability of a significant breach and its ensuing costs.
Benefits of Calculating Cybersecurity ROI
CISOs and boards benefit from calculating cybersecurity ROI as it helps them determine the value of an offering for their unique security environment. Many organizations already have upwards of twenty cyber tools in place. Why invest in another? Sellers regularly contact CISOs with solutions claiming to be the answer for new and emerging attack methods. Once the technical due diligence is done, determining ROI gives CISOs a method for evaluating a product, prioritizing among different options, determining what level of peace of mind it will bring, and what problems it will solve. Data Driven Decisions have never been as valuable as they are now.
The next step for CISOs is to communicate their justification to the board. Executives feel a growing responsibility for cybersecurity decisions, with regulatory, reputational, and business risk weighing heavily on their minds. The CISO’s voice is critical for communicating the reality of cyber risk and providing the leadership team with the information they need to make informed cybersecurity decisions. CISOs understand the board’s motivations and concerns and dedicate more time to craft a message that clearly articulates how cybersecurity fits into overall business strategy.
Embracing Security Tools with Proven ROI
No single cybersecurity solution can solve all of an organization’s security challenges. A layered approach is the best way to defend the entire attack surface. Recent advances in cybersecurity technology do offer powerful ROI and are resolving some of security professionals’ biggest challenges: the sheer volume and sophistication of attacks, the dwell time of many breaches, the high rates of false positives, the resources required for incident response, and the cyber skills gap.
Artificial intelligence (AI) and automation provide some of the highest cost savings opportunities in comparison to other technologies. According to Cost of a Data Breach Report 2021, “the adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools”.
Overall, AI is extremely capable of reducing the number of security incidents. As attackers begin to adopt AI, organizations that already have AI-based tools in place will be better able to stop them. In the immediate term, the rise of deep learning AI has already started to significantly move the needle towards preemption and the reduction of false positives, allowing security teams to focus on responding to only the most dangerous threats.
Automation streamlines the management of incidents that do penetrate a company’s defenses. When an attack is detected, workflows are already documented and automated, allowing IT teams to be more productive and efficient.
The cybersecurity landscape is truly complex. At CyVent, our mission is to support CISOs as they choose and sort through the different offerings on the market. Calculating cybersecurity ROI helps to prepare for the future environment where the fight will be AI vs AI and companies that do not have the appropriate AI talent and tools may be at a disadvantage.
If you have questions about the tools on the market, we’re here with guidance and advice. Get in touch with our team.