How to calculate the ROI of cyber threat defense

Feb. 6, 2017
Being able to financially quantify the benefits of risk mitigation to the C-Suite is paramount for security execs

As any executive knows, keeping a close watch on the bottom line is a critical element of ongoing success. For CIOs, CTOs and CISOs, finding a way to keep costs down while maximizing protection against potential security breaches is a familiar struggle. The difficulty often lies in the paradox that exists when one is essentially investing in something that has not yet occurred. Further complicating matters is the fact that many organizations are employing a complex multitude of systems, applications and defense mechanisms which can make establishing quantifiable return-on-investment (ROI) a prohibitive undertaking.

Yet, the potential financial impact a successful breach can have certainly justifies the upfront and ongoing expense required to adequately prevent one from occurring. One only needs to peruse the headlines to see evidence of how costly a security incident can be – both monetarily as well as reputation-wise. More importantly, it’s becoming increasingly evident that no one is safe from becoming a victim of today’s sophisticated online hackers. Businesses of every shape, size and industry would be wise to take heed and put the appropriate measures in place to keep their networks and sensitive data safe from harm.

So how, then, can one effectively capture the return on this important if not essential investment? Despite the countless news articles and leading experts predicting the steady and ongoing increase in amount and complexity of criminal activity online, many key decision makers still insist on seeing real, measurable results in order to justify the value of having an established, solid threat detection plan in place. The good news is, with the right strategy, calculating and communicating this ROI is entirely possible.

Start with the Basics

Before you can adequately assess ROI, you need to have a clear and documented understanding of all of the costs and benefits associated with your threat defense strategy. First there are the costs involved in the overall cybersecurity plan you have in place (i.e. monitoring systems, incident response software, IT security personnel, etc.). These expenses are easily measurable, but if you’re not contrasting them with the right information, they can easily scare away even the most open-minded board member.

To balance your expenditure properly, the next calculation will likely be a little bit more abstract. That is, you’ll need to identify and capture, as accurately as possible, the costs associated with a security compromise. For instance, the following factors can and often do influence cost:

  • Percentage of incidents that lead to an actual breach                            
  • Percentage of threats that are major incidents                        
  • Average cost of a major incident                                                                              
  • Percentage of threats that result in minor incidents                                                  
  • Average cost of a minor incident                                                              
  • Average annual growth of security threats and incidents                         

At an organizational level, there are additional factors that must also be accounted for. Ideally, these numbers would be captured prior to implementing a comprehensive threat management strategy, as this will allow you to more closely measure the additional savings achieved by the new strategy, whether it’s adopting better software, deploying automation technology, or some combination of these.

By way of example, these calculations might look something like this:

  • Average number of incidents per day
  • Number of incidents being addressed daily using current resources
  • Gap between addressed and unaddressed incidents
  • Number of incidents addressed daily using new incident management strategy

The figures obtained from these calculations will allow you to pinpoint or at least approximate the amount of money a potential security breach could cost your organization. With that number in hand, the savings achievable by avoiding those financial implications can be determined.

Delving Deeper

Another important thing to point out is that the ROI of good threat defense stretches far beyond the basics covered above. Recognizing these additional benefits can help strengthen and solidify a case for enhanced incident management. One area upon which many fail to capitalize, particularly in terms of justifying potential savings, is in the incident response realm. Far too often, the focus lies squarely on prevention, when in reality it’s the remediation that can truly quantify the return.

The truth is, when it comes to security breaches, it’s quite often not the actual incident that has the greatest impact, but rather the time it takes to identify, isolate and resolve the issue before it has a chance to cause further damage. This mean time to resolution (MTTR) is where the true value of threat intelligence lies.

According to recent reports, the majority of organizations today find out about a security breach by an external third party, such as their bank or a government body. The time it takes to identify said compromise averages somewhere around 320 days. For breaches that are detected internally, this number drops to around 56 days, which is still a significant amount of time to allow a successful incident – and the hackers behind it – to have a field day with your network, systems and sensitive data.

Complicating matters is the speed with which a compromise can occur. One recent industry report indicates that more than 80 percent of cybersecurity breaches happen in mere minutes. The vast canyon between compromise and detection is alarming to say the least and that’s not even taking into consideration the amount of time it takes to actually recover once a security incident is discovered.

It is estimated that about 60 percent of MTTR is spent determining the root-cause of the actual problem. The rest is spent mitigating damages and working to achieve a complete resolution. When system outages or any type of downtime is included in this process, you should increase the cost of compromise accordingly.

The Value of Reducing MTTR

With the right technology – such as IT automation - a significant savings can be realized in MTTR alone. Calculating this savings involves a two-step process. Start by determining the total yearly cost of incidents by applying the following formula:

Number of Monthly Incidents X Time to Resolve Each Incident X Cost of Personnel Per Hour X 12 months = Annual Cost of Incidents

Keep in mind that the type and severity of incidents will vary, so you may wish to use this formula to determine the cost associated with each incident priority level. In other words, your priority one (P1) incidents will have a different resolution time and associated cost than that of P2 and P3 incidents. Additionally, the costs associated with support personnel may also vary based on level and skillset. For instance, P1 incidents might require the expertise of both L1 and L2 teams, so calculate accordingly.

Once you’ve determined your annual cost of incidents, the second step involves calculating your annual savings. This can be done by using the estimated percentage of reduction in resolution time that your applied technology delivers. The formula looks like this:

Annual Cost of Incidents X Reduced Time to Resolution (%) = Annual Savings

On the conservative end, some experts believe the average reduced time to resolution a good automation tool could potentially deliver hovers somewhere between 50-75 percent. That means if your annual cost of incidents is $350,000 you could potentially be saving anywhere from $175,000 - $245,000 each and every year. There aren’t too many decision makers who wouldn’t appreciate those kinds of numbers.

For the most part, today’s IT executives are fully capable of understanding the importance of investing in cybersecurity. When it comes to convincing others, however, there may be a bit more work involved. Knowing what data to take into consideration and how to transform that data into quantifiable evidence can help you better drive home the value of threat detection as not just an ancillary component of IT, but a fundamental ingredient in the ongoing safety and success of the organization as a whole.

About the Author: Gabby Nizri is the CEO of Ayehu, Inc.  Ayehu provides IT Process Automation and Orchestration solutions for IT and security professionals to identify and resolve critical incidents and enable rapid containment, eradication and recovery from cybersecurity breaches.