Return on Investment (ROI) is probably the single most important metric when it comes to business. It answers the questions of “For every dollar invested, what do I get back?”. In profit generating areas like sales it’s fairly easy to calculate ROI because it’s just Revenue – Cost = Profit. However, Cybersecurity is a cost centre, meaning it doesn’t generate profit for the business so it’s a bit harder to calculate the ROI, but it’s not impossible. Here I go over some methods for calculating ROI in regards to Cybersecurity:
4 areas of ROI in Cybersecurity
There are 4 primary ways that a cybersecurity initiative gives you a ROI:
Reducing Business Risk
Compliance with regulations or contractual agreements
Reducing ongoing costs
Meeting Business Objectives
Reduction in business risk: This is the primary means that an investment in Cybersecurity will pay back a business. Anytime the company suffers some type of security breach there is a cost associated with that. So by reducing the rate of occurrence for a specific type of incident you save the company the money. For example, say Company A suffers 10 data breaches a year because of phishing emails that cost 10,000 to fix (10 X 10,000 = $100,000 per year). To fix this you implement a security control that costs you $20,000 but reduces the rate of occurrence by half, saving you $50,000 per year. Your payback in the first year alone will be (50,000 – 20,000) $30,000. This is one way a cybersecurity initiative can have a measurable ROI, but looking at the annual rate of occurrence, calculating the expected decrease in rate of occurrence and subtracting the amount of the control. Controls can be technical things like a firewall but it can also be hiring additional staff to do training or to respond and contain the situations as they occur.
Compliance: The next way Cybersecurity gives ROI is in the form of meeting mandatory compliance regulations. So there are two types of compliance regulations that apply in this situation, firstly you have government or industry regulations. These will vary depending on your location and the type of industry the company operates in. Secondly, you have contractual obligations, so if you’re a service provider for another company there may be clauses in the contract that say you have to have certain things in place from a security point of view. Failing to meet either of these compliance regulations can result in a lot of negative consequences such as fines, loss of clients, lawsuits and in severe cases imprisonment.
Reducing ongoing costs: This means finding ways to optimize the current security or business processes so that it reduces overall costs. Some examples of this include reducing the required storage space or reducing time and effort through automation. Typically, this will never be the sole focus of a security project but it’s a good additional reason.
Meeting Business Objectives: Security is usually a part of IT and they often have specific business objectives that they need to meet. One of these objectives that overlaps very heavily with security is availability. This includes things like recovery time objectives (RTO), recovery point objective (RPO) and having a certain amount of uptime. Any security project that is essential for or supports meeting business objectives is much more likely to get support and recognition from management.
Tips for Communicating ROI to Upper Management
Give good estimates: Use your best judgement, expertise and software tools to estimate the risk mitigation for each investment. It doesn’t need to be 100% accurate but you should be able to quantify the expected ROI for any risk mitigation project you invest in.
Learn to communicate in the business environment: Security is not just a technical area, it’s actually a part of finance, usually under a Chief Financial Officer (CFO). It’s important to learn how to frame your ROI in terms of business objectives rather than just talking about “best practices” or “being more secure”. It’s better if you can talk about things like saving money, specific risk mitigations, compliance, recovery time objectives and recovery point objectives.
Leverage multiple ROI arguments: Rather than focusing on any one argument, combining multiple arguments to support one project/initiative will greatly increase the chances of success.
Final Thoughts
For all areas of business ROI is important, including Cybersecurity. The ROI of Cybersecurity often can’t be calculated in terms of profit and loss but it can be shown through mitigation of risk, compliance, reduced cost and the meeting of key business objectives. It’s important to understand that more security isn’t always better, you should not invest in any security initiative where the cost to secure an asset is greater than the value of potential damage to the asset. For example don’t spend $20,000 to stop a data hack that will only cost you $10,000.