Security – Returning an Investment

Posted in:

Awareness for Cyber Security is now higher than ever. The public is constantly exposed to reports in the media flashing cyber-attacks and the damages they cause. Security is everywhere and it is taking more and more resources to defend, and a lot more of IT budget.

Reports indicate that security takes significantly larger portions of IT spends every year in the last 5 years, and expected to continue growth in the next few years to reach nearly half of IT budget. ZDNet ‘Corporate IT Budget Survey’ reveals that over 50% of organizations has improving security as their number one priority for 2018.

Corporations now invest more in multiple security layers – Prediction, Prevention, Detection and Response, along with Security personnel costs, expenses are sky high. There is now a growing need for ways to justify expenses to the board, or to CFOs.

CSOs struggle finding the right language to reflects security economics and to justify – “what are we getting for this money?”. This topic is a very common discussion among CSOs on forums and communities.

Returning the investment here is basically preventing unexpected expenses as a result of an attack. This could be due to Damage to data, Extra expenses, Loss of income, Lawsuits, Extortion, Reputation, etc. CSOs challenge is how to reflect this to the board and “materialize” these entries in the budget datasheet as ROI.

 

IT’S ALL ABOUT RISK MANAGEMENT AND LOSS PREVENTION

Let us base the ROI calculations on direct financial loss prevention: if by spending $10 an organization can prevent a highly probable annual loss of $1000, management will surely allocate the $1000 budget. The challenge here for CSO is to be able to prove the true need for that $10, not less, and that the risks mitigated with the $100 would really cause a highly probable $1000 direct loss to the organization.

The expected financial loss caused by the attack is the Annual Loss Expectancy, or ALE – the number of incidents X potential loss per incident. In this case, let us say – six incidents may be expected in a year, so we are looking at an ALE of $6000 (Number of Incidents per Year) x (Potential Loss per Incident).

Part of risk management and assessment frameworks, this process is not very common when it comes to SMB and SME. Those do not always comply with regulations and may not be structured in a way to properly plan and execute cyber security frameworks in a directive way, for example, by utilizing a Cyber Security Director.

In such cases, the CSO role must classify assets and identify ones which are most valuable to the organization, and which protecting those would potentially produce the higher ROI for their protection investment. This means that compromising those would cost the company a great amount of money. Such assets would be critical by means of privacy (ie. Customer Information), Financial value (ie. Confidential data), Critical Processes (ie. Finance Processing) etc.

 

THE WEAKEST LINK

Business assets are constantly accessed by… business users. Here is why the ROI for securing users would have the highest return: Hackers have long realized that users are the weakest link in the organization and are the easiest way to infiltrate boundaries. Here is an example – phishing a user is relatively easy, and takes minimal investment of time and money from the attacker to execute. This means we can conclude that the lower the investment and the ROI for the attacker – the higher the ROI would be for the organization.

The equation is simple – organizations must fight to lower the hacker’s ROI in order to capitalize on theirs. The more the hacker invests in the attack, the higher the cost would be to defend, and the lower the ROI for the organization would be.

 

CONCLUSION

Projecting the return of investment when it comes to security is a challenge, especially when it is presented to c-level stakeholders which may not come from the technical worlds, and do not quite comprehend security. The way to start is by taking a step into understanding today’s threats and the specific business needs for protecting users and assets.

 

Protect your corporate secrets
Sign up now for a FREE corporate security checkup




    Do you like an Article? Share with professionals!

    LEARN MORE ABOUT HOW WE
    CAN HELP YOUR BUSINESS
    FILL UP THESE GAPS

    Please fill in your info:





      Recomendations:

      Internet Binat is an excellent company with great products and outstanding support.The Network and Security Solutions supported by them are resilient, user friendly, secured with a low and affordable cost.Their support team always gives us high priority and attention
      Erez Greenbaum
      Erez Greenbaum
      08:11 10 Sep 19
      I am working side by side with Binat an several years, and was constantly amazed with their business insight and brilliant ways to solving problems.We was setup more the 15 MPLS line for our business around the world, which gave the company a significant advantage on top of the competitors.I really hope that our paths will not diverge in the future, and would recommend with all my heart working with Binat Internet and take advantage of their incredible and rare qualities.
      Alex Levin
      Alex Levin
      14:27 19 Aug 19
      Internet Binat is at the top of WAN services.Adama is working very closely with them for the last couple of years in some very challenging parts of the globe.Without the solutions they provide our job and normal user's productivity around the world would not have been possible.They are professional, committed and above all give superb service !Internet Binat can take you from planning board to execution with flying colors. Strongly recommend?
      Roni Barzelai
      Roni Barzelai
      13:46 19 Aug 19
      We get the absolute pleasure of working with Binat Internet for the last 5 years.We are worked on challenging and innovative projects on a global scale.I believe that every organization that would work or interact with Binat Internet will benefit dramatically from that. I want to note the excellent technical round-the-clock support, especially the Israeli team. Team is ready to deal with difficult situations and solve the problems on time.Any of your problems will be solved ASAP.Will be happy to recommend Binat Internet every time, knowing the benefits and attitude they are bringing with them to every project.
      Valery Kucher
      Valery Kucher
      11:32 18 Aug 19
      The excellent company,High professional levelYou always can trust the technical people that help you in any situation.
      Igor Vinokur
      Igor Vinokur
      14:27 14 Aug 19