October 22, 2019//Tony HowlettLast Updated: November 19, 2020
When information security professionals make budget requests, they are usually confronted with the dreaded return on investment (ROI) question. As in, how long will it take for this investment to pay for itself, either in the form of new revenue generated or saved costs. Even human resources departments have become adept at reporting how to better employee retention and lower recruiting costs to justify their purchases. However, in the security field, it is often a torturous exercise due to the “zero-sum” perception that some top managers take of our field.
First of all, let’s do away with the new revenue question. Security investments are rarely intended to generate new revenue. You might be able to correlate a sale increase due to security features that customers are requesting. Sometimes this comes in the form of an industry certification or other validation of your security measures. For most cases, it’s next to impossible to tie sales increases directly to security efforts because so many non-security factors go into a purchase decision.
In some sense, we are paid to make sure nothing happens. Most of the day-to-day blocking and tackling of keeping the company secure goes unseen by management and the rank and file. The trick is how to show that what we are proposing will make it more likely that nothing will happen. But ask any of the cities, hospitals, banks, or other entities that have had a major cyber incident the cost of NOT doing good security. Their estimate of the value would be quite high.
Hard numbers are available on the costs of many high-profile security breaches. The famous Target credit card breach cost the company over $300,000,000. More recently, Equifax has paid out over $650,000,000 to settle claims over its massive data breach. And the City of Baltimore has incurred $18,200,000 in costs so far with more to come from its ransomware infection. As of 2018, the average cost to companies of all sizes from a data breach event is $3,800.000.
If your security money is going towards improving an existing process or procedure, ROI calculations are easier to make. For example, if you are improving your IAM processes or rolling out a full Privileged Access Management (PAM) or PAM for vendors (VPAM) solution, stats on tracking hours and tech support resolution time can be gathered and calculated against the cost of your project. Plus, there are companies that conduct customer ROI studies on security process improvements. Often, those can be incredibly helpful in proving financial value in the process to renew with vendors.
If you’re in a regulated sector where you have regular exams or audits, the effect of new security measures can be shown on improved scores and results. These are objective numbers that can be shown to increase or decrease year over year and usually, they are pretty specific about what improved. In the banking industry, going from a 2 to a 1 is a big deal on an Office of the Comptroller of the Currency (OCC) compliance exam. Also, the costs of regulatory fines or findings are readily available public information.
Now that the Office of Civil Rights (OCR) has been active in assessing fines for HIPAA violations (over $100,000,000 to date), it’s a much more real possibility to healthcare board of directors and upper management. Additionally, for multinational corporations, the EU has been aggressive in handing down judgments for violations of its GDPR Privacy law. This activity makes it much more likely that cybersecurity proposals will be taken seriously as a good investment.
Security awareness training can also be shown to deliver a specific ROI. A recent 2019 study of both large and small enterprises by Osterman Research showed that there is a 69% ROI on the security remediation costs after security awareness training is conducted in smaller companies (50-999 employees) and a whopping 562% ROI at larger enterprises (1,000 employees and up).
There are many other useful white papers and resources out there you can use to make your case.
So, when developing your project budgets and information security vendor ROI calculations, be sure to use all available data, both internal and external to make your best case. Remind your boards and management that while labor cost savings and breach expenses can be tracked and accounted for, the loss of reputation and brand value is, as they say in the credit card commercials: Priceless!