How to make sense of your security spending
According to a March 2016 PwC report A False Sense of Security that surveyed 300 Middle Eastern organisations, the region has become one of the prime targets for cyber attacks. In fact, according to the findings in the report, in 2015, 56% of businesses in the region lost more than $500,000 as a result of cyber incidents compared to 33% globally. Faced with this reality, organisations across the region have upped their IT security spend. However, one of the biggest challenges when you go shopping for new security tools is answering the inevitable question from finance, what is the value?
Determining the ROI of a new security product is not an exact science. There are no hard and fast rules to follow, which is why generic ROI calculators should be avoided at all costs.
Measuring the impact of better security is like measuring a moving target. What is more, every organisation is unique. The setup of an organisation’s existing infrastructure, its size, risk level and the potential impact of a security incident, will vary significantly. Ultimately, this means that successful security strategies can look very different.
On the face of it, most security tools do not appear to save you time or money. They generate new alerts and this can swamp an already overburdened security team with investigating and tracking down new potential threats. That is not to say that security tools have no value, however, and it is by evaluating this that a CFO can understand the true business case for a security solution.
However, the challenges inherent in defining the ROI for security tools do not decrease the importance of defining this information and articulating it for corporate leaders and the board. The recent explosion in the number of security vendors in the market, offering similar overlapping solutions, and their almost identical claims to solve the security problem makes picking a comprehensive security solution more difficult. The fact that its increasingly difficult for CIOs and CISOs to understand if and where security gaps still exist, does not decrease the importance of helping C-suite executives and board understand the value of proposed security programs and the importance of resourcing them.
In security, the biggest benefit will always be reduced risk, buy this tool and bad things are less likely to happen. Unfortunately, this argument is highly theoretical, which does not translate easily into a business case. It is also likely that the same argument has been used for previous security procurements and consequently leads to a debate around the likelihood of data being stolen, a risky game to play.
Instead of trying to estimate the level of risk a company has in terms of security and how likely an attack may be, it is arguably much more important to analyse the time or people a new tool might save and how much more efficient it could make an organisation.
Some key questions would be the following.
- Can it automate tedious day-to-day activities?
- Can it reduce requirements for highly skilled, difficult to hire security personnel?
- Will it let tier 1 analysts do the tasks of a tier 2 analyst?
- Will it allow tier 3 analysts to do the work of an incident responder?
- Does it reduce the time it takes to resolve a threat?
- Will it help consolidate the security stack? For example, reduce the number of agents operating on endpoints or the number of network security appliances in your rack?
- Will it reduce the requirements to integrate multiple security devices?
- Will it reduce the number of screens that monitoring personnel have to focus on?
- Can it improve the speed and accuracy of a company’s incident response?
To the CFO, this approach presents clear opportunities to save critical funds and enhance the ROI of security solutions. At the same time, you are reducing the risk to the enterprise of a breach which is a primary focus of the Board of Directors.
For any organisation it is almost impossible to put a prediction on how much a cyber breach could cost as it is not only a case of compensating victims and the loss of business revenue, but also damaged reputation. No one is expecting a CFO or the Board to write a blank check for security, which is why explaining the savings an enterprise can make in terms of a more efficient security team, lower hardware costs, and minimised risk, is paramount to understanding its value.
Jason Mical is Vice President End Point Products at Fidelis Cybersecurity.