Cybersecurity is generally considered a cost center in most companies, meaning they don’t generate revenue for the company. This can make it difficult to demonstrate the importance and effectiveness of a cybersecurity program because there aren’t easily defined metrics for evaluating performance like revenue. However, there are ways cybersecurity leaders can demonstrate ROI in a way that business leaders can easily understand. In this article we will help breakdown how to calculate your cybersecurity ROI and justify your budget.

What is ROI in Cybersecurity?

To defend your budget and make it clear to the higher-ups why security is important you need to be able to quantify how you are adding value. There are four main pillars of ROI when it comes to cybersecurity: 

• Reducing ongoing costs 
• Compliance with contractual obligations or regulatory compliance 
• Reduced business risks 
• Allowing you to pursue new business opportunities 

Whenever you’re communicating with leaders in the company and trying to highlight the benefit of their investment in security you should highlight one or more of these four pillars. Each of these pillars can have a big impact on the company’s bottom line. Now, in terms of operational metrics that you can use to show ROI, you can find a full list here.

Calculating ROI for Cybersecurity

One way to demonstrate cybersecurity ROI is with a formula that shows business leaders how security control reduces overall cost. The following graphic created by the Center for Information Security illustrates this formula: 

By using the annualized rate of occurrence and calculating the amount that each instance of occurrence would have cost the company, we can quantify how much money an individual security control can save a company by reducing the probability of that event happening. For example, if the average business email compromise (BEC) costs a company $5000 and happens 10 times per year = 50,0000. Then a control that reduces the occurrence of BEC by 50% (saving $25,000) and costs $5,000 has a net benefit of (25,000 -5,000) 20,000.

Justifying Security Investments to Business Leaders

Now that we understand what needs to be communicated, the next important step is ensuring you are communicating with the right people. Usually, cybersecurity falls under finance, and therefore you need to bring these metrics to the CFO to convince them of why you’re worth investing in. If you’re unable to get access to the CFO, at the very least the procurement and finance departments should be involved. Fortunately, many companies are starting to see the benefits of cybersecurity, which make these conversations much easier. According to a survey by Cisco 89% of respondents said that their executive leadership considered security to be a high priority. Therefore, once you bring them the right information you have a good chance of getting a positive response.

To make sure you can report on ROI, you need to ensure that you have the infrastructure to collect that information daily. To do this CSO Online suggests making investments in cyber operations such as advanced analytics and process automation. Not only do these increase overall efficiency and performance but it allows you to measure what is going on in your environment more effectively. For example, the amount of malware that was quarantined per month. These metrics will be important when you want to report to upper management.

Even if you take all these steps, it’s possible that a may be inevitable. Especially in situations like this where the pandemic has caused many companies to lose business, you may be in a situation where you need to work with less money than you have before. You still want to make a strong case so that your budget cut will be as small as possible and then focus on prioritizing how you are going to spend the money you do have on the most important threats. This is where you rely on threat modeling to determine what the most important areas are and focus on those areas that will give you the biggest ROI.

You must ensure that you are using quantifiable metrics to demonstrate the ROI of your cybersecurity programs. At the end of the day, business comes down to profit and loss, so you need to show the monetary benefit of cybersecurity to upper management. The exception would be if a control is required for some type of compliance. When communicating to the higher–ups, be sure to target the CFO and finance teams since that is who security generally reports to within the company. For this reason, it’s useful to have business–minded people on the security team that will be able to present this information in a way that business–orientated people will be able to understand and see its value. CSO Jon Oltsik warns that cybersecurity leaders should be keeping track and logging information like: “How to measure and report incremental and ongoing advancement they achieve with risk management, security efficacy, and operational efficiency.” 

To help with this, rThreat provides breach and attack emulation technology to help evaluate if your investments are justified. Our security assessments enable companies to understand how well their security controls and processes are working so they can eliminate ineffective solutions and optmize existing tools and processes. Learn more about how rThreat can help justify your cybersecurity ROI by requesting a demo here.  

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.