Return on investment: is it worth the money?
That is the central question in deciding on any procurement. Demonstrating
ROI on cybersecurity products is notoriously difficult and is one of the underlying reasons for the poor state of our nation’s cybersecurity posture.
Ah, but here’s the rub: showing tangible ROI on cybersecurity products is difficult because it rests on hypothetical situations. “If we didn’t have this product, we would have been breached 17 times instead of three” – that's hard to prove. Consequently, many security professionals in both the public and private sectors look askance at claims of ROI and decide it is a lost cause when evaluating cybersecurity products.
Even so, demonstrating the value of a security expenditure is essential to obtain continued funding and support.
How is it possible to demonstrate ROI without relying on imaginary scenarios?
Suppose your agency has procured and deployed a threat-intelligence sharing system. Did security staff respond to more intrusions before the deployment?
If the number is lower and can be attributed to the system, that’s great. Perhaps a more pertinent metric, though, is the ratio of attempted intrusions to successful breaches: did the percentage go down? If so, you can demonstrate tangible ROI by including the labor rate of the employees responding to incidents.
POA&M (Plan of Action & Milestones) closure is another metric: are you closing them more quickly than before the procurement? If so, are the closures attributable to the system you installed? How does the projected cost of closing a POA&M compare to the actual cost? Projected costs are somewhat speculative, of course, but this approach at least uses some concrete financial metrics.
Some Security Incident and Event Management (
SIEM) systems charge by the byte for data processing. Are there pre-processing systems that can normalize and de-duplicate the data going to the SIEM, thus reducing the cost of ownership for SIEM?
Some metrics are difficult to translate to dollars and cents, but by expanding the notion of ROI to include quantifiable metrics, it is possible to demonstrate how a specific expenditure is providing measurable improvement.
For instance, a new
phishing detection system might catch a larger number of illicit e-mails than the old one. Translating the improvement to nickels and dimes may be difficult, but it is nonetheless measurable and specific, qualities which the bean-counters always appreciate.
I suggest, then, that we revisit the notion of ROI in cybersecurity. There may be creative approaches to justify a procurement monetarily, but even reliable non-financial statistics go a long way to obtaining budget money to improve a security program.
About the Author: As Chief Cybersecurity Technologist for DLT, Don Maclean formulates and executes cybersecurity portfolio strategy, speaks and writes on security topics, and socializes his company’s cybersecurity portfolio. Don has nearly 30 years’ experience working with U.S. Federal agencies.
Before joining DLT in 2015, Don managed security programs for numerous U.S. Federal clients, including DOJ, DOL, FAA, FBI, and the Treasury Department. This experience allowed him to work closely with the NIST Risk Management Framework featured in this article, and to understand its strengths and weaknesses. In addition to his CISSP, PMP, CEH, and CCSK certificates, Don’s holds a B.A. in Music from Oberlin, an M.S. in Information Security from Brandeis Rabb School, and is nearing completion of his second Bachelor’s in Mathematics.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
