Cybersecurity investments: Why ROI calculations may not tell the whole story

Spending money on cybersecurity tends to be a point of angst for company decision makers. Besides being nebulous, most cybersecurity spends do poorly when subjected to Return On Investment (ROI) calculations.

To that point, security experts question whether ROI measurements correctly indicate the effectiveness of a cybersecurity program. “Security is not an investment that provides a return, like a new factory or a financial instrument,” writes Bruce Schneier in his 2008 CSO feature article (that is still relevant today) Security ROI: Fact or Fiction?. “It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings.”

When it comes to loss prevention, the following business objectives are typically included:

• Avoid fines for data breaches;
• Don’t cause an essential service outage to the surrounding region;
• Ensure life-support systems are always available;
• Protect product formulas or recipes; and
• Protect your organization’s brand.

“Company management shouldn’t spend more on a security problem than the problem is worth,” continues Schneier. “Conversely, management shouldn’t ignore problems that are costing the company money when there are cheaper mitigation alternatives. Smart managers need to approach security as it would any other business decision: costs versus benefits.”

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

A better way to measure cybersecurity investments

When it comes to cost vs. benefits, Katrina Avila, a senior consultant for IBM, agrees with Schneier. In her SecurityIntelligence.com article, How to Maximize Your Cybersecurity Investment, Avila offers practical ways to ensure the company’s investment in cybersecurity are maximized.

The first step, according to Avila, is to take a hard look at risk and capability by asking the following questions.

Risk: What’s your current risk? What residual risk is your organization prepared to accept? The difference between these two states will drive your cybersecurity road map.

Capability: How well-developed and consistent are your cybersecurity practices, and how well do they enable the security outcome your organization expects? Avila suggests looking at the intersection of business goals, technical constraints, and availability of resources.

“Assessments help you understand your company’s gaps in these areas (risk and capability),” explains Avila. “Sometimes, it can reveal cybersecurity investment in capacities that don’t support business goals, so it’s better to redirect these resources to initiatives that will have a more significant impact on risk mitigation.”

Developing a proactive cybersecurity road map is next on Avila’s to-do list. The goal is to reduce the need to react after-the-fact. Building the cybersecurity road map requires answering the following questions.

• How do you formulate a target cybersecurity state for your organization?
• How can the case for change be developed cost effectively?
• Which business benefits justify the cost?

SEE: A winning strategy for cybersecurity (ZDNet special feature) | Download the PDF version (TechRepublic)

Use benchmarks with caution

Industry benchmarks are helpful; however, Avila cautions, they are not the entire solution and must be viewed with skepticism to avoid the “because everyone else does it” mentality. “That said, benchmarks can help identify potential security gaps in your organization,” she adds. “Use them to initiate security conversations with management, and always consider your organization’s unique business needs and objectives.”

An example of the point Avila is trying to make is the differences between securing an e-commerce shop and a traditional brick-and-mortar shop. “The e-commerce retailer has to meet electronic payment compliance requirements and poses a much more attractive target to hackers, requiring a more substantial investment in network security,” explains Avila. “Meanwhile, the brick-and-mortar shop should consider heavier investments in physical security—such as loss prevention.”

There can be some overlap when it comes to cybersecurity, but it’s easy to see what Avila is getting at.

SEE: The role cybersecurity should play in 2019 IT budget planning (ZDNet)

Uncover cybersecurity risks using heat maps

Not relying on benchmarks might have security analysts scratching their heads. Avila is prepared for that response, saying risk heat maps, created from information derived from the risk analysis mentioned earlier, will produce a better security profile, adding, “By generating risk heat maps, you can model the amount and types of security controls to meet your level of acceptable risk.”

Risk heat maps provide the following tangible benefits:

• A picture of your cybersecurity risks and their locations;
• The ability to show management the impact of not addressing cybersecurity risks; and
• A visual justification for cybersecurity investment.

Final thoughts

Avila also offers sound advice that is specific to small businesses without a dedicated cybersecurity team. “Look at what you need to secure, and why,” writes Avila. “Also talk to business owners and technology leads about what you need to protect, and the result will be much more meaningful.”

In conclusion, Avila suggests, “You’ll get more out of your cybersecurity investment and more support for change by aligning your road map to your organization’s business needs—and that means protecting your critical assets, monitoring your threats, and keeping track of changes to the company’s risk profile.”

Avila’s advice seems obvious, but experience shows it is often overlooked.

Also see