Last Updated on August 11, 2022
On the surface, calculating return on security investment (ROSI) might seem formulaic: First, calculate the monetary value of the reduction in information security risk and/or improved competitive position from a control, product, program or other asset/investment. Then compare that to the cost of implementing the control.
But estimating ROSI is anything but simple most of the time, as hard numbers are tough to pin down.
To “get real” about the cost and value of information security, James Fair, SVP at Executech and an expert on calculating ROI from IT spend, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, is the podcast host.
Value preservation and value creation
As John points out, the intent and value of information security is (or should be) two-fold:
- Preserve business value by protecting client data, intellectual property, etc.
- Create business value by supporting business goals
“If you think about the value of information security only from a value preservation perspective, it’s sort of like an insurance policy,” John explains. “And how do you value insurance? ‘Hey, I don’t think I’m going to die, but if I die, at least my family’s protected.’”
“Then if you go the opposite way… I think some of our more forward-thinking executives understand that there’s an increasing need to be provably secure and compliant these days. So that’s the value creation part in addition to the value preservation,” adds John.
Adding up benefits from both those components is part of the ROSI challenge. How big is that challenge?
“Do you think that estimating the return on security investment is a possibility?” John asks.
ROSI data points
Calculating ROSI takes experience and creativity.
“It’s a bit esoteric,” concedes James. “There are no hard/fast numbers we can use. I wish there were. There are certainly some we can look at.”
For example, the average ransomware attack costs somewhere between $250,000 and $850,000. That’s a pretty severe hit.
Likewise, it’s hard to put exact costs around reputational damage from a breach. But what if your IP is exfiltrated? This is happening more and more frequently and the cost, while perhaps hard to quantify, could threaten your org’s ongoing viability.
“I’ve had the unpleasant task of trolling an attacker’s site to see the data they were selling online because somebody didn’t pay—and it was just astounding how much was out there,” winces James.
James suggests that cyber liability insurance (CLI) cost parameters can offer some “tangible numbers” for calculating ROSI. Don’t forget to factor in any discount you’re getting for having specific cybersecurity measures in place (e.g., ISO 27001 certification).
How prepared are you for when you’re hacked?
As someone who helps clients analyze cyber risk, James knows the truth of this maxim: You will be hacked.
“It’s a matter of when, unfortunately,” James relates. “So how prepared are you for when that happens?”
To brace for that impending impact, most companies across industries spend just 3-5% of their IT budget and less than 1% of total revenue, in James’ experience. That number keeps going up, for sure. But it’s still very low in relation to presumed cyber risk.
Microsoft’s CSO said they were going to spend $1 billion each year on cybersecurity, if you want to judge against that,” James offers.
What would an average optimal cybersecurity spend number be?
James thinks “a good target” would be $1,300 to $3,000 per employee. But as John observes, that’s probably more applicable to enterprises, but too low for most SMBs.
“If you’re a 25-person company that processes someone else’s data and you need an ISO 27001 certificate, you’re spending $4,000 per employee just to get the ISO certificate, let alone all the other stuff,” John asserts. “So, I guess what we just learned is that there really is no general rule of thumb. It depends on what your information security requirements are.”
To hear this show with James Fair on cybersecurity cost and value, click here.
Wondering if CMMC certification worth it for SMBs in the DIB? This blog post does the math: CMMC 2.0: Is Certification Worth the Cost and Risk?