ROI of Your Cybersecurity Investment

Cybersecurity done right is the absence of events. Measuring the return of the investment in cybersecurity is an inverse of the negative impact of an event versus the resources to prevent it. What is the return on investment for something that doesn’t happen? To do this, you must forecast uncertainty and make some assumptions.

ROI of Your Cybersecurity Investment

ROI = (Savings from Investment – Cost of Investment) / Cost of Investment * 100%

 

1. Executive Buy-in and Participation

In your business culture, it may be deemed desirable that employees be able to work within your networks and remotely using any device they choose, with little regard for method; that employees don't feel constrained by security policy to the point of feeling less productive; that security be maintained while being as unobtrusive as possible. These are all valid and can serve up lively debate within security circles. Regardless of individual positions on topics like this, one thing is constant: It is up to the security leader and practitioner to inform the Executive Leadership team of the risks. Any user awareness program needs to start with executive awareness.

Risks need to be quantified in terms of dollar value. Once put into such business value terms, along with probability metrics that show US companies have 27% chance of incurring a $3.5M breach cost over the next 24 months, executive interest should grow. If your company delas with customer PII, PCI, or PHI data, there are regulatory requirements that proper training is regularly conducted for those who handle that data. With this interest, security begins to become a part of the business culturethis cannot happen without executive interest and support. 

Meet with Executive Leadership at the top and accross all departments in your company. Present them with the current state, calculate the risks, and let them share with you their cultureal viewpoints, as well as who and what they wish the company to be. Reach understandings about what users should be aware of regarding security risks. Devise policy tailored to this.

 

Investment

To calculate a ROI, you must first determine the amount invested. This can vary based on many factors. Managed Detection & Response (MDR) offerings are less expense and more standardized than Managed Security Services (MSS) solutions. Both offer 24×7 protection from cyber threats using a set of tools and expertise. The cost can range from several thousand dollars on the entry level end to six figures for extremely large or complex IT environments.

Example: Company XYZ makes widgets for the USA and UK military. They invest $10,000 per month to work with a company to provide 24/7 cybersecurity services. The time period of the investment is three years. This ROI analysis will disregard the present value of money for simplicity. Thus, the investment if $10,000 * 36 = $360,000.

 

Return

Fines

Breaches affect the people whose personally identifiable information (PII) is lost. That information can be used in identity theft, as part of hacking or for other nefarious purposes. As a result of this, regulators want to shift the impact to the companies.

PCI fines are based on a number of variables, including the amount of cards breached or compromised, business size and length of being out of compliance. Fines can range from $5,000 to $100,000 a month. GDPR fines are also based on data breached. The fines can be up to 4% of the annual revenue or $20 million. Companies that suffer the loss could be responsible for providing credit monitoring for those impacted as well.

Worst-Case Scenario Example: The provider notices an in-properly cloud configuration that would have exposed 10,000 customer records. The fine depends on many factors, but let’s assume $50,000 if the provider did not discover.

Reputation

The benefits of the perception of security for customers vary based on the industry. Customers might be interested. Knowing their partner is secure can be a competitive advantage. Evidence of this is seen on many site shopping carts. Vendors proudly display that they passed a security standard. The security indicator in the browser also indicates this. Lost business due to the lack of future earnings is difficult to calculate due to uncertainty.

Suffering a breach or hack can tarnish the reputation of a company. This can have an impact on the willingness of other companies to work together.

Worst-Case Scenario Example: After the breach was made known, they lose a deal worth $150,000.

Physical Impacts

Lost productivity can come into place if the situation involves a company making physical items. Downtime as a result of a hack can be calculated by looking at the inventory that was not made as a result and the cost of starting back up.

Worst-Case Scenario Example: Company XYZ enjoys protection from IoT hacking with their cybersecurity provider. Without it, they might have suffered downtime for 2 hours due to hacking. One study puts the average cost of downtime per minute at $5,600, meaning this outage costs $672,000.

Ransomware

The amount paid to hackers is a tangible figure in calculating ROI. Having a top-notch cybersecurity program can mitigate this risk. If a company does not pay, the expense of replacing hardware and processes is then the amount in question.

Worst-Case Scenario Example: This company cannot catch a break! Without dedicated cyber protection again phishing, they would get infected with malware. The average ransomware payment in the fourth quarter of 2023 was $568,000

Putting it Together

The ROI for this fictitious company from cybersecurity preventing these worst-case scenario attacks is:

($50,000 Data Fines + $150,000 Lost Business + $672,000 Downtime + $568,000 Ransomware) – ($360,000 Investment) / ($360,000) * 100%

 

$1,440,000 Hyptothetical Loss from Cybersecurity Attacks – $360,000 Investment to Prevent = $1,080,000 / $360,000 = 3 * 100% = 300% ROI of Cybersecurity Investment

 

Next Steps

A company is unlikely to face each of these losses, but the possibility exists. Change the assumptions in this simple example to get a sense for the value of preventing cybersecurity incidents. Pick a framework, pick a model and start collecting data. Orient your activities to protect this data. Make sure all the stakeholders are aware. To dig deeper into this analysis, there are a number of models to employ.

Factor Analysis Information Risk (FAIR): This model is used to understand the probability for incidents to take place based on inputs.

CMM Model: This model looks at the maturity of controls in order to look at investing time and money to improve.

 

 

Don't gamble with your organization's security. Expose your vulnerabilities before attackers do. Learn how Cipher's Attack Surface Report (CASR) takes your security to the next level.

Get your complimentary CASR Assessment today.