Magazine Button
Using ROSI to evaluate cybersecurity technologies

Using ROSI to evaluate cybersecurity technologies

Deep diveEnterprise SecurityInsightsTop Stories
Intelligent CISO spoke to a number of experts about how CISOs can best prove ROI on security investments

Being able to demonstrate ROI on security investments to the board is one of the tasks every CISO encounters. And it is not without its challenges. Intelligent CISO spoke to a number of industry experts who offer some best practice advice to CISOs about how to tackle this challenge.   

 Why is it important to be able to use ROSI to evaluate cybersecurity technologies?

Carolyn Crandall, Chief Deception Officer at Attivo Networks

CFOs and CEOs would be ecstatic to see detailed and specific ROSI, especially if it could be boiled down to a dollar figure. This would streamline budget assignment and approvals as you could easily calculate a quantifiable benefit. The challenge is that security is much like insurance, you hate to spend the money on it but are extremely grateful that you have it when needed.

Ultimately, security is more of a risk calculation. How much risk are you taking and what are the consequences if you don’t invest. Fines, insurance hikes, lost revenue, hit to brand reputation and incident response costs can be calculated, however assigning ROSI to one device can be hard as security is a system and only one chink in the armour can bring the whole system down.

To use an American football analogy, it is like playing the game without a kicker to kick in the field goal. Security can be compared to being in the final seconds of the game, but without the kicker, you need to run the play, which can be more complex and riskier. If you have the kicker, you win, without the kicker you may not.

Is it a guarantee? No, but the odds are less favourable when you don’t have the resources best suited for the need. The concept of a kicker and security are similar, there is no silver-bullet so you need all the positions covered.  If you try to shortcut it, it may be all the opponent needs to win. Game over.

Joseph Carson, Chief Security Scientist, Thycotic

For cybersecurity to be successful in any company it must contribute to the business success. In order to get support and commitment from the executive board, the CISO must show a return on security investment for it to be a strategic part of the overall company business. If the CISO is unable to communicate effectively to the executive board on how cybersecurity will contribute to the business, it is very likely that the board will not invest in cybersecurity leaving the company open to cyberattacks.

The future of cybersecurity needs to change in businesses. We need to stop talking about cybersecurity and talking only about business risks and how cybersecurity solutions can be used to reduce the business risk contributing to the business success.

Organisations continue with failing to measure cybersecurity successfully, focusing on only the threats and not the value of business risk reduced.

Sometimes cybersecurity is simply too complex. Many companies have invested in technologies that claim to solve all the problems. However, when it comes to getting them working they are so complex that proper installation takes years – and that’s even before they get integrated into existing cybersecurity investments.

When documentation is hundreds of pages long and takes highly skilled resources to ensure it’s working, it becomes clear why the industry is short of cybersecurity professionals.

Ruggero Contu, Research Director, Security Solutions Worldwide

Similar to other areas, demonstration of ROI is often key to obtain financing from IT budget allocation, however, as a recent Gartner survey has demonstrated, with security often it is difficult to provide a direct correlation between economic benefits and security investments.

This is because security aims to keep things running as normal and prevent/detect/remediate incidents, so demonstrating ‘normality’ is not necessarily seen by management as a compelling reason to spend on security versus other areas that can demonstrate direct economic gains.

Furthermore, security is often relying on metrics that are very technical, making it difficult for security professionals to communicating value to the business.

What best practice advice would you give to businesses and organisations on calculating their return on security investments?

Carolyn Crandall, Chief Deception Officer at Attivo Networks

I would suggest using various modelling frameworks to communicate the impact. The fundamental models could be based upon 1. brand impact and revenue loss; 2. penalties/fines/increased insurance premiums; 3. cost of incident response.

It is especially critical not to underestimate these costs, as they can drastically skew calculations. In addition to this, I would add: 4. impact to business services and whether this opens or closes opportunities to provide services that give a business advantage and 5. ongoing hygiene of security system – what investments need to be made to ensure that security is working reliably, is covering all attack surfaces and ever-evolving attack types.

This could be pen testing but ongoing tools to validate will mitigate the need for a ‘root canal’ that will occur if the attacker remains undetected for lengthy periods of time. This should factor in not only actual damages but also the time needed for cleaning up the network and erasing the attacker’s footprint.

Ultimately, don’t limit ROSI to simply IT asset management. It is also important to factor the costs into overall digital risk management and impact to the organisation’s business operations.

Joseph Carson, Chief Security Scientist, Thycotic

Businesses must stop focusing on cybersecurity and must focus on business risk as using cybersecurity solutions that reduce those business risks will only help justify the investments.

Given these constraints, cybersecurity solutions need to automate processes and simplify the management required to deploy and maintain. Complex, manual, labour-intensive solutions can not only impede productivity but can actually increase risks to the organisation if they are not embraced by the staff that must use them on a regular basis.

For cybersecurity solutions to be successful they need to be automated, they need to be simple – not complex, they must not require highly skilled professionals to implement them and they must be cost effective and add value to the company.

Ruggero Contu, Research Director, Security Solutions Worldwide

The best way to show ROI for security is to build a budget proposal using business language, therefore translating technical metrics into business-friendly values.

Security tends to be led by very technical oriented professionals that struggle to communicate in business-friendly terms and as a result there is the risk of having business not receptive of the value security can bring to the organisation.

Secondly there should be an alignment of security to business aims and, as a result, show how security supports business objectives, such as preventing business disruption from incurring in downtime of systems that can impact core business processes.

Thirdly, while difficult to quantify, there should be an attempt to estimate economic cost arising from a cyberattack, cost that can be attributed to damage to tangible assets such as hardware and software, intangible such as intellectual property theft, loss from disruption to goods or services production or exposure to fines from regulators due to inadequate security posture.

Therefore, investments in security can help mitigating those costs.

The battle for business buy-in: Three ways to justify your IT security spend

Maxim Frolov, Vice President of Global Sales at Kaspersky Lab

Proving ROI in IT security has traditionally been a struggle for IT professionals, who need to balance budget limitations while constantly fighting to stay ahead of the dynamic threat landscape. However, businesses are now starting to treat IT security as an investment, rather than simply a cost-centre – according to a recent Kaspersky Lab report.

Costly cybersecurity incidents are affecting current and future business operations

Businesses of all sizes and industries are realising that they have to prioritise cybersecurity spend. Enterprises are now spending almost a third of their IT budget (£6.9 million) on cybersecurity and budgets are expected to rise over the next two years across all segments. Both SMBs and enterprises predict they will spend up to 15% more on cybersecurity over this period.

Why? Because the consequences of a cybersecurity incident can spread far and wide. WannaCry stopped the production lines of five Renault factories, while exPetr disrupted business operations at Maersk, the world’s largest container ship and supply company, resulting in losses of between £155 million and £250 million pounds.

Along with undermining current business operations, cyberthreats are also impacting future-focused initiatives. Digital Transformation and business mobility require organisations to operate a growing IT infrastructure, meaning they often lack visibility into their hybrid clouds.

Consequently, data is being put at risk of compromise or even encryption. The Zepto ransomware, which was spread via cloud storage apps, provides a prime example of this threat in action.

Moreover, the costs of dealing with the consequences of a cybersecurity threat are on the rise – due to factors such as having to hire external consultants, acquiring new software, dealing with PR risks and litigations, etc.

With costs rising and crucial business operations being put at risk, it’s no surprise that top management is now getting involved in the cybersecurity provisioning debate. But it’s not just their own infrastructure that they have to be thinking about.

Even if your corporate perimeter is protected, you cannot be so sure about your suppliers

It’s important to understand that a breach can happen even if the business’ own corporate network has the necessary level of protection – through supply chain attacks or breaches as a result of vulnerabilities in third party legitimate software.

We saw the ground-breaking breach of American retailer Target, when criminals gained access to the company’s network credentials through its ventilation and air conditioning vendor.

This was followed by the Equifax breach which was hacked through a vulnerability in legitimate open source software. The hackers gained access to databases, stealing 145.5 million accounts with crucial client data such as names, social security numbers, dates of birth, addresses and even credit card numbers.

For enterprises, data protection remains a critical issue even if a threat is somewhere outside the corporate perimeter – data breaches resulting from incidents affecting suppliers which businesses share data with cost them up to £900,000 million on average.

And, with data being stored in multiple locations, cybersecurity becomes a significant challenge.

Business data must be protected, wherever it is

It’s no secret that cloud services offer many benefits to businesses, from taking advantage of a more efficient mobile workforce, to reducing infrastructure costs and optimising business operations. As such, 73% of SMBs use at least one SaaS hosted business application, while 45% of enterprises have either already raised or are planning to grow their use of hybrid cloud in the next six months.

However, as businesses move more and more data to the cloud, they often end up losing visibility of their data exposure.

Data ‘on the go’ that is actually stored outside of the corporate data centre – e.g. in third party IT infrastructure – is presenting businesses with new security issues and new costs.

The most expensive incidents over the past year were related to cloud environments and data protection issues.

For example, for SMBs, two-thirds of the most expensive cybersecurity incidents are related to the cloud and third party hosted IT infrastructure failures result in an average £140,000 loss. That’s why it is so important to consider a dedicated level of cybersecurity when moving workloads to cloud platforms.

To summarise, these three insights can help explain why cybersecurity should be prioritised across companies in any industry – it is a prevalent issue for companies of any size, because virtually every company today deals with third party contractors, cloud infrastructure and a growing amount of sensitive business data. Therefore, to achieve an advanced level of cybersecurity, businesses must implement cybersecurity as one of the core functions across their IT infrastructure.

A set of appropriate cybersecurity solutions can then be deployed, enabling the adaptive and manageable protection of workloads across physical and virtual machines, containers and public cloud. It’s critical to achieve seamless administration and visibility across a hybrid cloud infrastructure.

And last but not least, businesses have to realise their responsibility for data and workloads that are stored in cloud applications and platforms. A false sense of safety and relying on providers to ensure security can be extremely costly – your data is your responsibility.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive