Measuring the effectiveness of security investments is a challenge. Companies treat costs spent on cybersecurity more like insurance than a business project: It is recommended, but hard to put a value on. After all, return on investment (ROI) is traditionally calculated based on benefits and cost:
But this equation works only for investments that yield positive results, such as cost savings or revenue enhancements. Security investments neither increase revenues directly nor provide immediate payback, so a different calculation is needed. Their ROI should be based on how much loss the organization could avoid due to the investment.
There are both quantitative and qualitative methods for doing this. I recommend using a combination of both to get the best estimate of the ROI of your security investments.
4 Steps for Evaluating the ROI of Your Security Investments
Step 1: Calculate the Return on the Security Investment (ROSI)
This method was presented by the SANS Institute and is summarized in the quantitative risk analysis formula [note: link opens a PDF]. Unlike the simple ROI formula above, it is based on an assessment of the specific risks that a given security investment will address.
This calculation involves the following components:
Annualized Loss Expectancy (ALE) — The estimated amount of money that will be lost in a single security incident (single loss expectancy) multiplied by the estimated frequency that a threat will strike within a year (annualized rate of occurrence).
Mitigation Ratio — Unlike ALE, this is an approximate number. The best approach is to assess the predicted number of mitigated risks based on a scoring algorithm established in the organization. For example, a company is considering investing in a data discovery solution that is expected to reduce the current data security risk by 85%, so the mitigation ratio equals 85%.
Cost of Solution — This is the only independent index in this equation. It includes all costs associated with solution purchase, implementation and maintenance. High overall cost can easily negate the value of security investments, so it is important to evaluate ROSI before making a purchase.
Even if the data used in the ROSI calculation is inaccurate, using this model in a repeatable and consistent way will enable companies to compare the relative value of different security investments over time.
Step 2: Compare Company’s Risk Profile to Industry Peers
Comparison of security budget and security strategy to other organizations in the industry can be a good way to check the effectiveness of security investments. Moreover, industry-specific research can also help to identify threats typical for companies within one vertical, discover best practices for addressing issues and set baselines.
The best way to get an unbiased analysis is to reach out to an analyst company to get a detailed vertical overview.
Step 3: Assess Company’s Compliance Status
If an organization is subject to a new compliance standard or wants to improve its compliance with an existing one, compliance status can be a good metric for evaluating security investments. Compliance status can include the results of regular internal audits that check whether all processes align with the security frameworks mandated by the standard, analysis of grades on recent regulatory audits, and determination of areas that need improvement.
If cybersecurity investments are not improving compliance status, organizations should investigate why.
Step 4: Evaluate Readiness to Address Incidents
A security simulation is a live training in which one team attacks an infrastructure and another group defends it. Holding security simulations helps test the effectiveness of a security program, check the level of security awareness in the organization and measure the performance of each IT team member. By comparing the results with previous simulations, organizations can track metrics such as how much time the team needed to detect and respond to the attack, and identify individuals who performed better and those who need additional training.
If performed on a regular basis, this type of exercise can serve as a good practical metric of how cybersecurity investments are affecting the organization.
Regularly measuring the effectiveness of cybersecurity efforts is essential to avoid security incidents. There are so many options on the market that IT professionals find it difficult to understand which ones are worth the investment and efforts for implementation.
Evaluation of basic security metrics can serve as a good starting point and bring even more benefits if organizations do this on a regular basis. Accurately calculated, security metrics will provide actionable data about how well current IT security strategy and investments are working, determine which areas need improvements, and evaluate proposed new security investments so organizations allocate budget wisely.
About Steve Dickson
Steve Dickson was named Netwrix CEO in April, 2018 after joining the Netwrix board of directors in August 2017. Dickson was previously with Dell, Inc., where he served as Vice President and General Manager of the Windows Platform Management business, as well as VP of Marketing for the Systems Infrastructure Management Group.