Posted in:

Feature: Cyber Security return-on-investment

Models designed to evaluate if cyber security delivers measurable value for money must become more inclusive to be more revealing.

There are few instances of workplace jargon that crop-up in both the business leader’s and information technologist’s lexicons; ROI – return on investment – is one such. But the fact that it carries different shades of meaning for its respective usage often proves unhelpful when it comes to establishing common terms of reference inside a digitally-transformed organisation. Its definition shifts from one planning meeting to the next.

Nevertheless, it’s a term that continues to find its way into debates between the board/c-suite and the IT function, so chief officers should ensure that their understanding of ROI is properly up-to-date – especially as executives become more closely involved in the determination of enterprise digital strategy and may be exposed to vendor superlatives.

It’s also a term worth redefining at its simplest level. In IT terms, ROI denotes the ratio between the net cost and profit of an investment that results from an investment of resources of some kind. As a performance measure, ROI is used to evaluate the efficiency of an investment or to compare the efficiencies of several different investments. A high ROI means the investment’s gains compare favourably to its cost. Low ROIs suggest an investment’s propensity to deliver value was poorly judged.

Nevertheless, with the latter, it naturally depends on who judges. The definition of ROI is conditioned by the perception of performance effectiveness – just how well does a product or service do what it’s supposed to do. For many of those working on the practitioner side in the IT industry, ROI is an overused buzzword that’s beloved of solutions vendors and product consultants, but of limited value for those tasked with making comparative evaluations based on technical features.

“The term ROI is frequently misused to attach a meaning or connotation that it does not originally have,” says Ilia Kolochenko, CEO at High-Tech Bridge. “Cyber security is primarily designed to serve business by mitigating the risks to the acceptable level. Thus, I would not expect that money invested in cyber security per se will bring you dividends or a common notion of profit.”

Kolochenko adds: “I daresay that a cyber security solution also brings ROI if it prevents practical, reasonably certain and measurable losses. Obviously, its overall costs, including (but not limited to) costs of maintenance and personnel training, should be lower than potential losses.”

DEPENDS WHAT YOU MEAN BY ‘RETURN’

A potential pitfall for managers lies in the assumption that there are innate similarities between ROI as applied to standard IT that supports line-of-business applications, and ROI applied to cyber security products and services – a mistake that dates from the time when security was just another facet of mainstream IT operations across the enterprise. As cyber threat levels grew over time, and the requirement to ensure that organisations’ system security was equally strengthened to withstand increased attacks, the proportion of budget claimed by security products, services and specialists increased.

“The difference is that on the business side, ROI denotes a clearly measurable financial benefit.” says Dr Klaus Gheri, VP Network Security at Barracuda Networks. “Among the IT security community, very often ROI refers to avoided potential costs that would have resulted from a security breach. Essentially, this is about risk reduction, making it hard to prove, which in part explains why [as a conceptual model] it is harder to communicate than tangible money saved or earned.”

Another complexity is that, arguably, as operating systems and applications become more secure, cyber security becomes the prevalent IT force. This complicates the question of how well cyber security delivers adequate ROI, because it becomes embedded in the hardware and software designed to support line-of-business applications that drive your enterprise forward.

Executives can add something to the cyber security ROI debate by keeping their organisations’ risk appetites’ defined and up-to-date.

An important ROI distinction is that many aspects of enterprise cyber security are now subject to a range of national and international regulatory compliances, such as GDPR (General Data Protection Regulation). This means that organisations are obliged to buy security products and services, even if they have a high ‘risk appetite’.

Generally, risk appetite is the level of risk that an organisation is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change can be expected to bring. In this regard ROI is helped by the fact that failure to comply can result in penalties: so a €50,000 expenditure in secure IT is obviously preferable to a €60,000 fine when enterprise security is found wanting by a regulator.

Executives add something to the cyber ROI debate by keeping their organisations’ risk appetitive defined and up-to-date. “Top management and the board should have serious conversations that focus not only on acceptable losses, also on what investors and regulators might consider a reasonable level of cyber defence, detection and response,” according to Norman Marks, author of the book World Class Risk Management. “Any definition of ‘risk appetite’ should probably be based on the likelihood of a serious breach, rather than on the amount of loss.”

NEW MODELS OF RETURN MEASUREMENT

From the technologists’ perspective, organisational risk appetites have tended to be suppressed. The IT function wants to demonstrate that it can select, install and manage all security infrastructure that detects and stops threats. It also implements security policies that can ensure your workforce abides by all the acceptable usage rules.

An executive perspective on deciding security exposure may, moreover, take into account priorities that differ from those of the IT function. For instance, it may decide that it’s not absolutely necessary to maintain 100% protection of all data assets. This means security resources can be concentrated on safeguarding the most valuable data assets that hackers try to get at. Emergent models for cyber security ROI also need to broaden to take into account the indirect cost savings that tech advances can introduce; but these will likely only serve as secondary considerations, says Barracuda Networks’ Klaus Gheri.

“There can be direct cost savings through investing into a new security tool which – for instance – requires less human attention to operate. That is the easy part,” Gheri explains. “More frequently, however, that is not the case, and ROI is calculated by assuming average incident cost of a certain type – which the security investment now prevents from happening – times the probability of being hit by such an incident within a certain period of time – a calendar year, say. The resulting cost savings can then be compared with the associated total cost of the security investment.”

If Gheri is correct, probability-based estimations of cyber attack risk will inform the greater part of thinking around this key issue. Threat intelligence of some kind (there are various types) is one area that can helpfully inform cyber security ROI considerations. The more information you have about who is targeting your organisation, the better you can marshal your defences against them, because certain threats favour certain attack route (or ‘vectors’). Security solutions vendors have in recent years seen the value of refining their products and services for specific types of threat and specific targeted sectors, so a solutions provider who already has clients in your business area is worth knowing about.

In the final analysis, boards/c-suites have to retain realistic expectations, and understand that cyber security expenditure does not fit neatly into established models of ROI. “Measuring ROI in the cyber security arena is difficult because the main goal is to avoid a breach,” Paul Calatayud, CSO/Americas at Palo Alto Networks, stated at an industry round table earlier this year. “Beyond this metric, it’s extremely difficult to measure success.”
Words: James Hayes. Images: Shutterstock.