Last Updated on August 11, 2022
If you’ve ever tried to calculate return on security investment (ROSI), you probably found it a slippery fish. For starters, what are the costs and impacts of manifesting risks that your InfoSec program is hopefully protecting you against? Without solid risk analysis you can’t do the cost analysis.
How do “the experts” frame meaningful ROSI numbers? A risk-based approach should be a starting point for the analysis.
To share insights into the true cost and value of information security, a recent episode of The Virtual CISO Podcast features James Fair, SVP at Executech. Hosting the podcast as always is John Verry, Pivot Point Security CISO and Managing Partner.
Developing a risk-based matrix
John and James agree that “actuarial data” to justify cybersecurity spend is basically nonexistent. So, what numbers do you put in front of your CFO?
Cross-industry cost insights like those in Verizon’s Data Breach Investigations Report are an excellent support for your risk analysis, which James argues should be the foundation of your ROSI calculations:
“Start with the risk analysis. I think we’ve spent too much time doing inward-facing cybersecurity and we need to look at a risk-based [approach]. We need to create a matrix. If you’ve got a list of all the possible attacks for your industry, an estimated likelihood of those attacks and the severity in the event of such an attack, then you’ve got a matrix you can work with. Now compare that to the solutions required to make that happen. Estimate the cost and the difficulty to implement. Now you’ve got some intelligence you can work with. You can see what’s urgent, you can see what’s going to be easy to knock out, easy to implement. So, I think we really need to move to that risk-based model, and too many companies are just not there yet.”
“You couldn’t follow a better approach,” concurs John. “Every major framework—ISO 27001, SOC 2, CMMC, FedRAMP—all require a good risk assessment at the start of the process.”
The mythical quantitative risk assessment
But John terms quantitative risk assessment “mythical”: “The problem with quantitative risk assessments is we come down to what’s the likelihood of this occurring, and the likelihood of that occurring is… Let’s say we were talking about the likelihood of a tornado hitting you. Even if you lived in Kansas or a place subject to tornadoes, what’s the likelihood that it’s going to hit your building and actually impact you? What’s the likelihood that I get caught in a ransomware attack? Or I have a piece of infrastructure that doesn’t get patched, and someone finds it and hits me with a zero-day? Then what does that end up yielding access too? It’s a challenge no matter how we carve it up, which is probably why we’re having this conversation.”
“It’s an esoteric number that’s tough to find,” James reiterates. “We don’t have enough data yet to do that. I wish we did. That would make this all very clean and cut and easy. But unfortunately, all we’re working with is what we have, which is ridiculous amounts of breaches and growing every single year.”
James further advocates looking at downtime costs: “Let’s say you can recover from [a risk manifesting] just fine. But can you afford to be down for two days, or three days, or a week that it takes you to recover? How many customers will be willing to come back once they find out that you’ve been responsible for a breach of their data?”
Beyond the cost to recover from a cybersecurity event, there are knock-on costs like reputational damage. How much will that cost you in future contracts?
John suggests simplifying all the unknowns down to a worst-case scenario. What would be the impact to your org from a risk manifesting? And could you live with that impact?
“Knowing that there is at least some 10%-ish level of chance of something occurring that has the ability to take your organization that you spent your whole life building, and put you out of business… I guess, maybe we end up at that rule of thumb at some point in time,” proposes John.
To listen to the complete episode with James Fair on calculating cybersecurity cost and value, click here.
What’s an approach to calculating ROI for a specific cybersecurity tool, like SIEM? This blog post shares best practices: Comparing the Cost of “SIEM”: How Much and Time-to-Value