Security – Returning an Investment

Awareness for Cyber Security is now higher than ever. The public is constantly exposed to reports in the media flashing cyber-attacks and the damages they cause. Security is everywhere and it is taking more and more resources to defend, and a lot more of IT budget.

Reports indicate that security takes significantly larger portions of IT spends every year in the last 5 years, and expected to continue growth in the next few years to reach nearly half of IT budget. ZDNet ‘Corporate IT Budget Survey’ reveals that over 50% of organizations has improving security as their number one priority for 2018.

Corporations now invest more in multiple security layers – Prediction, Prevention, Detection and Response, along with Security personnel costs, expenses are sky high. There is now a growing need for ways to justify expenses to the board, or to CFOs.

CSOs struggle finding the right language to reflects security economics and to justify – “what are we getting for this money?”. This topic is a very common discussion among CSOs on forums and communities.

Returning the investment here is basically preventing unexpected expenses as a result of an attack. This could be due to Damage to data, Extra expenses, Loss of income, Lawsuits, Extortion, Reputation, etc. CSOs challenge is how to reflect this to the board and “materialize” these entries in the budget datasheet as ROI.

IT’S ALL ABOUT RISK MANAGEMENT AND LOSS PREVENTION

Let us base the ROI calculations on direct financial loss prevention: if by spending $10 an organization can prevent a highly probable annual loss of $1000, management will surely allocate the $1000 budget. The challenge here for CSO is to be able to prove the true need for that $10, not less, and that the risks mitigated with the $100 would really cause a highly probable $1000 direct loss to the organization.

The expected financial loss caused by the attack is the Annual Loss Expectancy, or ALE – the number of incidents X potential loss per incident. In this case, let us say – six incidents may be expected in a year, so we are looking at an ALE of $6000 (Number of Incidents per Year) x (Potential Loss per Incident).

Part of risk management and assessment frameworks, this process is not very common when it comes to SMB and SME. Those do not always comply with regulations and may not be structured in a way to properly plan and execute cyber security frameworks in a directive way, for example, by utilizing a Cyber Security Director.

In such cases, the CSO role must classify assets and identify ones which are most valuable to the organization, and which protecting those would potentially produce the higher ROI for their protection investment. This means that compromising those would cost the company a great amount of money. Such assets would be critical by means of privacy (ie. Customer Information), Financial value (ie. Confidential data), Critical Processes (ie. Finance Processing) etc.

THE WEAKEST LINK

Business assets are constantly accessed by… business users. Here is why the ROI for securing users would have the highest return: Hackers have long realized that users are the weakest link in the organization and are the easiest way to infiltrate boundaries. Here is an example – phishing a user is relatively easy, and takes minimal investment of time and money from the attacker to execute. This means we can conclude that the lower the investment and the ROI for the attacker – the higher the ROI would be for the organization.

The equation is simple – organizations must fight to lower the hacker’s ROI in order to capitalize on theirs. The more the hacker invests in the attack, the higher the cost would be to defend, and the lower the ROI for the organization would be.

CONCLUSION

Projecting the return of investment when it comes to security is a challenge, especially when it is presented to c-level stakeholders which may not come from the technical worlds, and do not quite comprehend security. The way to start is by taking a step into understanding today’s threats and the specific business needs for protecting users and assets.