The challenges of ROI in IT security
Over the last few months, I’ve had a number of conversations about the need to justify security spending. This year has been tough for a lot of organizations, so IT budgets are generally not growing. Plus, the money already allocated often had to be re-prioritized to meet changing business needs. At the same time, executives and board members become painfully aware of today’s cyber risks and the cost of not paying attention. They expect the IT team and IT security leaders to provide solid data points that enable the most effective security investment decisions.
That’s where many companies I talk to run into an unexpected roadblock. For decades, IT (and IT security) has been treated as a purely technical discipline, and top technical professionals were promoted into IT leadership positions. They can walk you through any sophisticated technology question, but not all of them speak the “business” language. This makes it tough for both sides of the conversation to come to productive decisions.
Another challenge for many IT leaders is a lack of factual data to rely on. In technology, you work with facts, and you have precise and defensible measurements. For example, you can report on the number of incidents over a given period of time, or the time needed to patch a vulnerable server. But how do you show the expected return on a security investment without stepping into the realm of assumptions and probabilities? This pushes a lot of IT pros, myself included, out of their comfort zone.
Let’s use these insights as an opportunity to see what’s out there.
The four pillars of ROI
When I have a chance to talk about security investments, whether in people, processes or technology, I always try to ask one question: How do you think this can pay off? The answers vary greatly, but they can be distilled into one or more of these four categories:
- This investment will save us money by reducing ongoing costs.
- This investment will help us comply with contractual obligations or industry or government regulations.
- This investment will reduce our business risks (by reducing probability, impact or both).
- This investment will enable us pursue new business opportunities.
All four elements seem to be good reasons to invest. But where does each of these fit in the conversation, and how do you put it all together? Let’s look at each element in turn.
Operational cost savings
Cost savings is one of the most obvious measures of ROI, especially when the CIO or head of IT is also responsible for security. If a project enables you to reduce storage space, consolidate licenses, or reduce time and effort through automation, you can calculate the returns with reasonable certainty.
The caveat here is to understand this should never be the only reason for the investment. The main goal of IT security is to manage risk, and you’re doing yourself a disservice with any project that does not start there. However, cost savings works great as an additional reason to invest in something that reduces a risk the company cares about.
Organizations know they must comply with relevant regulations simply to continue staying in business. Many IT security teams leverage this and position new security initiatives as a must for compliance. It’s not uncommon to hear a tip like “use compliance to fund your security initiatives” in professional communities or conferences.
In general, it is true that regulations attempt to set minimum guidelines for securing certain types of data or activities. However, no regulation can give you a universal guidebook for securing your specific business against the current threats at a particular moment in time.
Compliance can be an effective way to start an ROI conversation and get attention in a less mature organization where the executive team is less aware of the real risks. However, it is potentially thin ice: You should never give in to a false sense of security based on ticking all the boxes of any compliance checklist.
Another pitfall you want to avoid is creating the perception that IT security team is a “necessary evil” that executives will tolerate and even fund, but would happily get rid of if they could.
I am definitely not arguing you should not bring up compliance in a budgeting conversation. On the contrary, you should be aware of the current and anticipated regulatory requirements for your industry and jurisdiction. However, similar to operational cost reduction, I think it would be a mistake to over-rely on compliance as the primary way to justify a security investment.
The primary goal of any IT security organization is risk management and mitigation. But understanding risks can be complicated: Is a newly discovered vulnerability a risk for your particular company? Should you pay attention to the news about state-backed APT groups like Lazarus?
The key is to match IT security risk management to the overall business risk management in your organization. Defense or financial organizations usually have a mature and established risk management strategy, sometimes with a dedicated role of Chief Risk Officer; if your organization has someone in that position, that’s who you want to learn from. But every organization is constantly making decisions about risk. Often, this responsibility falls to the CFO and the CEO. I believe you should seek their advice to build an aligned and consistent risk management strategy for the organization. Failing to do so creates additional work and can leave the organization exposed to real threats that IT overlooked due to lack of business involvement.
This brings us back to the challenge that I started with: How do you measure risk and expected savings? I won’t even try to unpack it all in one post; there are long books on the subject (here’s a good one: “How to Measure Anything in Cybersecurity Risk” by Douglas W. Hubbard and Richard Seiersen).
You will have to rely on expert opinion to estimate the cost or risk and the level of reduction. However, this does not mean you need to just guess. There is a two-way approach to avoiding guesses:
- Learn from inside. Learn from your business risk management process, and try to be consistent with it. You’ll need to establish a connection with the C-suite in order to do this, and you’ll need their input on the estimated losses.
- Learn from the outside. See if there is a relevant CISO group or forum you can join to learn from the experience of other companies. Another good source is industry research, such as the “Cost of Data Breach Report” by the Ponemon Institute, sponsored by IBM.
Don’t overcomplicate this — agree on an approach and use it consistently. After a few quarters, you will be able to see (and prove) trends and be able to adjust if needed.
You might well have heard talks about “security as business enabler” at various industry events in the last few years. Most people seem to agree this is a great idea, but not many organizations succeed in delivering on this promise.
As with other aspects of ROI, communication is crucial here. You have to build connections and stay in touch with the executive team and business unit leaders. That way, you will have a chance to make security a part of each new project discussion — and an inseparable part of the implementation plan — from the very beginning.
Since you’re not the owner of a new business project, you cannot estimate the size of the returns on the opportunity overall. However, you don’t have to. I recommend referring to these new initiatives in your ROI conversations, but without trying to provide specific numbers.
I started to work on this post in order to summarize my personal takeaways from all the conversations I had this year about ROI in security. Here’s my list:
- Use your judgement and expertise to estimate the risk mitigation for each investment. You don’t have to be precise; accept imperfection. Remember that risk management expertise probably exists elsewhere in your company — try to learn from those people and leverage the same approach. Use the tools and data available to you.
- Learn to speak the business language. Security is not (only) a technical issue. There’s a lot you can learn from the CFO or CRO and the CEO, and you can use these conversations to help them learn more as well. Building a comprehensive risk management program that encompasses financial, reputational and security risks will help your business become stronger on all fronts.
- Keep communication lines open with leaders across the business. Security investment can (and often should) be part of new projects and new opportunities. Help business leaders see security not as a cost center, but as a strategic initiative.
- Leverage and balance all four ROI arguments. Although risk reduction should be the starting point, always consider how the same dollar spent can help your organization achieve compliance, reduce operational costs and/or support business opportunities.