Demonstrating return on investment for security spend can be difficult. The cost of a breach is often cited to demonstrate the spend on technology, personnel or services, but this doesn’t always articulate the best business case for the budget, shares Andy Collins, chief security officer, Node4.
In the face of growing and varied cybersecurity threats, making every penny of a security budget count is critical. For instance, within the last year, 60% of organizations had experienced a cyberattack and 29% of these reported weekly attacks. Ransomware demands are reaching new records as the average ransom payment has risen to $570,000 in 2021, an 82% increase since last year.Â
While having clear, strong security measures in place shows a clear commitment to customers and suppliers, deciding how to spend your security budget to get the best return on investment (ROI) is not straightforward. It isn’t easy to assign a monetary value to the benefits of your security spending, as it can be difficult to see exactly what you are achieving when money is often being allocated as a preventative measure.
Indeed, part of the problem can be that organizations tend to focus on the negative consequences attached to security spend. For instance, many will calculate the cost of a breach to justify the money spent on technology, personnel or services. While this is perhaps understandable, focusing on ‘what we need to spend to stop things going wrong’ doesn’t always help build an effective business case for investing in security.
See More: Security Operations Centers (SOCs) Maybe the Key as Companies Look to Improve their Cyber Defenses
Effective Security Investment
Instead, organizations should be looking at how effective investment can demonstrate a positive business-focused return. For instance, does demonstrating best practice provide the assurance and confidence that customers are looking for, and is it high up their shopping list?
In some sectors, security is among the core decision-making criteria, particularly where regulation and compliance play an important role. There may also be a need to pass an external audit, or a supply chain/bid procurement process might be dependent on a demonstrably strong security strategy.
In any of these circumstances, demonstrating security ROI is not just about mitigating loss and damage if something goes wrong. It’s about raising standards and doing a better job than your rivals – something which can demonstrate a more tangible financial return.
Without a doubt, organizations adopting a best practice approach to cybersecurity can also enhance the protection of critical assets, such as intellectual property. It can also reduce the risk of disruption to business as usual activities and protect critical data.
See More: Security Vendors: The Trojan Horse of the 21st Century
Risk and Reward
Even though best practice can be challenging to quantify, it is typically aligned to business strategy, regulatory, or compliance requirements. By investing, however, it does offer a strong statement to partners and customers that there is a deep and long-term commitment to delivering effective cybersecurity.
Some cyber security-specific regulations, such as those relating to data privacy, are mandated irrespective of industry sector, while others are focused on industry verticals (such as FCA, ITAR, HIPAA). Part of the challenge is that regulatory frameworks can often be left open to interpretation. The result is that organizations have to try and establish what they should be doing to comply.
Similarly, some see compliance standards such as PCI-DSS as a significant investment, even though they promote the adoption of important security practices, such as ongoing penetration testing, phishing exercises, the adoption of a SIEM and network resilience.
Organizations subject to external audits will usually need to react to their output, conclusions and recommendations. In most cases, audits will reflect regulatory or the organization’s group requirements. Gaps identified from an audit can require additional budget or budget to be reallocated, which places a strain on organizations that haven’t planned for this expenditure.
When there is a contractual obligation to reach certain security objectives or standards, or they must be in place as part of a procurement process, organizations design their approach according to their risk appetite.
Adhering to contractual obligations, however, is one circumstance where security truly demonstrates tangible ROI. Whether it’s maintaining existing service agreements, providing continual assurance to customers that obligations are being met or even something more specific, such as streamlining the onboarding process for new customers, the business impact of a strong security strategy can be enormous.
Focusing on these priorities can significantly help organizations demonstrate their level of performance and commitment – and contribute to demonstrating ROI. And while it’s true that identifying and monitoring the return on investment from the typical security budget can be challenging, it’s an important part of building an effective strategy that provides the strongest possible protection from the investment available.
Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.