The concern of most business executives is the company’s bottom line. They focus on cost-benefit analyses and ensuring investments provide a hefty return. Return on investment is a practical and simplistic calculation for most business decisions, but not for modern cybersecurity andcompliance measures. To figure security ROI, business owners and IT department heads must move away from revenue-focused thinking. Instead, they must consider a projection of not only revenue generation but also cost savings, productivity improvements, and risk and loss reductions.
In the simplest terms, ROI measures the financial benefits of an investment relative to its costs. Most business owners naturally believe this means revenue generation, but that’s only part of the story. In its entirety, ROI is a mathematical expression and representation of how an investment contributes to an organization’s profitability and well-being.
To assess the ROI of security measures more completely, organizations must determine how security elements affect the tangible and intangible aspects of operations. For example, does installing access control systems improve productivity and aid loss prevention? Does investing in secure network architecture, encryption, and intrusion detection reduce insurance premiums?
While some aspects of security installations can prove obviously profitable, such as installing a security and compliance system, most prove their value through prospective or predictive analysis. Still, according to research, successful implementation of cybersecurity measures sees, on average,a 179%ROI.
Though not every benefit of comprehensive security installations is quantifiable. a lack of profit data does not make the intangible benefits any less valuable or desired. To understand the overall reach of security systems and real-world security ROI, decision-makers must consider both the tangible and intangible benefits.
Tangible benefits provide clear and discernible value. These benefits of security installations include loss prevention, efficiency improvements, incident reductions, incident response savings, and possible insurance savings.
Installing security measures like surveillance cameras and access control systems act as theft deterrents while streamlining access to facilities. Proper measures can reduce time spent at security checkpoints and improve employee accountability. Most companies have built-in budgetary losses for expected theft and project delays; security investment can reduce projected losses, providing measurable data for ROI projections.
Intangible benefits, though more challenging to quantify, still offer real value to the organization. These benefits include reputation protection, legal compliance, business continuity, competitive advantage, and peace of mind.
Security systems prioritize privacy and safety, both admirable qualities for consumers and trade partners. The systems also reduce the risks of breaches that can hurt brand image and hinder corporate and consumer trust. While not as quantifiable as lower insurance premiums, intangible benefits offer significant real-world value.
To calculate, understand, and interpret the return on investment for security measures, decision-makers must take an accounting of physical and information assets as well as determining potential costs associated with losses or breaches. Understanding what they are protecting and placing a dollar value on the assets, including loss projections, creates a clearer picture of the ROI of security installations.
Assets may include obvious things, such as products, and intangible things, such as employee data or protected health information. Losing any of these assets presents genuine tangible and intangible financial losses.
To protect assets and guard against losses — to determine proper security measures — companies must also identify threats and vulnerabilities. The definition of a threat is anything that causes an unwanted outcome; examples of threats include lawsuits and natural disasters. Vulnerabilities are weaknesses in security infrastructure, also defined as the absence of safeguards.
Finally, companies must perform an asset valuation to calculate the ROI of a security measure. The valuation helps determine which assets are worth protecting and helps establish a hierarchy or priority list; it also provides a dollar value to help calculate security ROI. Asset values should include total life cycle costs — initial and ongoing, including production or R&D — and address their criticality to the organization and its operations.
To determine costs associated with asset losses, a company can use four metrics:
A company must understand each asset’s value to calculate these metrics. For example, a company experiences a theft of 10 laptops valued at $2,000 apiece. However, the actual value also comprises the information on the laptops — each stolen laptop contained personally identifiable information, meaning a significant data breach. According to past theft of unencrypted data, the company expects an additional loss of $23,000 per laptop, bringing the total asset value per laptop to $25,000.
Security ROI can vary per asset based on the exposure factor — the percentage of asset value lost after an incident. In this example, the EF of the computer and data theft is 100% because the company lost the entire asset.
Single loss expectancy is the asset value multiplied by the EF. In the example, the SLE is $25,000.
The annualized rate of occurrence is a representation of how frequently the event occurs. In the example, the company lost 10 laptops with sensitive unprotected data. If the company puts in security measures to guard against future events, this is a one-off incident. In this case, the ARO is 10.
Finally, the annual loss expectancy is the SLE multiplied by the ARO. In the example, the ALE represents the total loss of the incident: $250,000.
The typical formula for ROI is the net gain from an investment divided by the cost of the investment multiplied by 100. That said, the formula changes for security installations to assess the financial benefit of avoided incidents. There are three variations of the ROI formula:
Security ROI depends on making educated calculations and investing in tools and security features that save money and increase efficiency. Not all decisions generate revenue, but the right investments will increase profitability and performance.Check out Compylfor an all-in-one information security and compliance platform that automates the CISO role, saving companies money and time.