How Do You Measure Your Investment in Security?

When evaluating enterprise security tools for their effectiveness, it can be challenging to find the right model for best calculating your Return on Security Investment (ROSI). Just a few years ago, the potential cost attributed to a security breach was likely to be primarily related in the assessed financial cost into a business’ reputation, with only a relatively small number of cases ever reaching significant legal or sustained loss of service-related costs. But with GDPR (as well as an increasing number of international laws) bringing new fines to consider and the steadily growing number and sophistication of security intrusions over the last few years, assessing both the possibility and resulting impact is increasingly imperative and demands ever more robust assessments of your security expenditure.

Working Out How You Get the Best "Bang for Your Buck"

The most popular model I’ve seen deployed for security budget scoping in the real world is based on simply assessing cost – asking what’s the most I can get for my dollar based on my budget (or quite simply where can I get the best “bang for my buck”). This is a useful starting place for establishing budget sizing but for this simple methodology to even work, it is necessary to assess “the bang” aspect – and it is here that things can become more challenging. To put it a financial model around security “value,” we can consider an objective of trying to mitigate as much risk as possible, preferably up to the point where the cost of implementing additional security controls is as close to any possible value of additional savings from security incidents. This is where concepts like Foundational Controls offer a sensible way of making this problem tractable. By identifying measurable controls (especially industry supported ones like those developed for PCI compliance), both tools and processes can be evaluated and implemented with measurable “per item” costs attributed in many cases. These Foundational Controls provide you one part of your security suite – preventive mechanisms that aim to provide a defensive shield around IT systems.

Invest in Monitoring Tools

But this isn’t the whole picture for a balanced security application portfolio. Investment in detective controls too, with an aim to detect security violations when they occur, are increasingly deployed because there is no absolute security that will completely prevent all intrusions. These tools can come in the form of monitoring that can help determine whether a system is really under attack and, if so, the type and the extent of the attack by analyzing the log files and audit trails. In tandem with preventive and monitoring tools, there are also the process-related costs that are part of your security solution. IT security policies and procedures should aim to address an organization’s responses to a suspected security breach, as well as provide proactive behaviors for maintenance and other services such as security training. And whilst we’re considering all of these aspects of your security investment, you can also start assessing how many of these technical responses can be executed automatically or manually.

Assessing the Human Element

I’d note that in all of these domains that there is a human skill requirement behind your security activities too. Even the best automation tools require maintenance and security data analysis to prove useful. So, whilst we see automation can be an important aspect of improving the cost-benefit of a security solution, I see far fewer companies evaluating the true return on these automation technologies. Every dropped packet on a firewall is hard to equate to a security gain, but consider the risk of slow connectivity caused by a DDOS attack against the cost of buying that bandwidth in the first place. A different score mechanism applied to spam email would be to account for “wasted time.” Here, again, big numbers will show up (hopefully reflecting successful spam identification and blocking), and this can be translated to an aid to productivity. One less spam mail to deal with per employee quickly adds up over time. Finally, a robust metric might also account for the Service Desk time for the spam message scenario to account for retrieving false-positives, along with the cost of a delayed mail to the end user. So, how do we make sure that we’re really getting the best “bang for your buck”? Tools that provide metrics that can be converted into human benefits are a sensible place to start both in terms of making your security team more productive and in making sure that your risk is minimized whilst maintaining your service offering’s functional availability. Starting with tools and processes that aim to identify risks, provide suitable assessment reporting and scoring alongside mitigation strategies means you will be able to quickly go from just assessing threats to being able to measure the rewards of investing in good security.