Department store mogul John Wanamaker once famously said, “I know half of the money I spend on advertising is wasted, and the trouble is that I don’t know which half.”
I imagine a lot of business leaders occasionally have the same thought about their spending on cybersecurity initiatives. They know they must fully fund cybersecurity defense efforts in the face of new, rapidly evolving, and potentially devastating threats, and increased cybersecurity spending usually gets support in the corner office and in the board room. But that’s not to say that organizational leaders are sure what’s paying off and what isn’t.
“One of the biggest challenges we face in cybersecurity is determining how to measure the impact of your cybersecurity spending against business goals in delivering return on investment,” according to Naveen Zutshi, chief information officer at Palo Alto Networks. “CEOs and board members have been asking about the impact of all our security spending, and those are important questions to answer: Have we reduced our risk posture? Do our customers trust our brand more? Are we protecting the right things today, and are we properly aligned with the foreseeable future risks?”
So, how much of the approximately $114 billion expected to be spent on cybersecurity in 2018 is hitting the mark, and how much is delivering less-than-optimal results? And, more to the point, how will you make that determination?
One of the first steps is to acknowledge that there are both direct and indirect costs of security events. Research indicates that the global average cost of a data breach now is $148 per compromised record, and that the total cost, per-capital cost and average size of a data breach have all increased year-over-year. For data breaches where more than 50,000 records are compromised, the average cost is an eye-opening $6.9 million, and “mega-breaches”–those with more than 1 million compromised records–cost an average of $39.5 million.
There’s no debating the hard-dollar economic impact of cybersecurity in all its many strains. Take just one: synthetic identity fraud, creating a fake identity to access good or services. The economic impact on financial institutions is massive; recent research from the Aite Group notes that this one malevolent former of ID fraud is responsible for as much as 30% of all credit write-offs, resulting in annual losses of as much as $9 billion. And that’s just one slice of one slice of the overall cybersecurity threat landscape.
But for some organizations, the indirect costs may be even greater. After all, what is a brand reputation worth if customers lose trust on an organization’s ability to protect their most personal information? And the financial penalties incurred due to compliance violations or legal damages suffered in a lawsuit can pale against the impact of blaring headlines or scolding pundits railing against a company, government, or industry for failing to safeguard its most sensitive data.
Determining true ROI for your cybersecurity investments must take into not only what attacks were suppressed before extensive damage was done and records were exfiltrated, but also which ones were blocked before they ever made it over the firewall. To do that, you need to make sure your monitoring and management systems are based on a comprehensive platform architecture, rather than on a hodgepodge of point products with little or no coordination among them.
It also means you have to embrace automation in a big way, so as to mitigate the need to throw more and more bodies at a problem that can and should be handled with predictive analytics tools, as well as artificial intelligence and machine learning. You cannot build an army of security analysts big enough to fight off the bad guys. Many have tried, and it cannot be done, because the state of the art in cybercrime is moving way too fast for manual approaches to work.
This is a critical element in determining cybersecurity ROI, because so much of the economic impact of cyber events–from garden-variety malware and phishing to advanced persistent threats and malevolent ransomware–is based on what is likely to happen in the near future as attackers employ increasingly stealth and sophisticated techniques to attack new, vulnerable sources.
Think of all those new kinds of endpoints proliferating your organization’s landscape. Notebooks, tablets, and smartphones under your BYOD policies. Cloud-based services, from file-sync-and-share to SaaS applications relied on throughout the organization. And, of course, the flood of connected things that hackers target in weaponizing seemingly innocent copiers, door alarms, and RFID-enabled loading docks.
Organizations can also start to get a handle on developing a more sophisticated, more accurate ROI profile of cybersecurity investments by undertaking forensic analysis of recent security events. That kind of analysis can be done by expert security consultants, but there also are some pretty good digital tools you can deploy on your own analysis.
Whatever ROI analysis approach you take, it’s also important to evaluate your findings in context. What do other organizations of your size experience when using a particular intrusion-detection strategy? Or, others in your industry? That’s not to say that you should make decisions simply by mirroring what others are doing–after all, every organization’s challenges and business goals are unique. What may be a satisfactory ROI figure for one organization can be pitiful for another.
And, ROI must be measured and evaluated in a business context: How do our cybersecurity investments map to our business goals? That way, you can determine if a seemingly big-ticket investment is a better choice than a couple of smaller, less expensive decisions–or the other way around. After all, if your number-one business goal is to provide a superior online shopping experience, you’ll likely become more comfortable investing in a seemingly expensive identity theft detection-and-prevention solution than you might if your top goal is to increase inventory turns.
Finally, spending money on cybersecurity–just like spending money on everything from marketing promotions to new headquarters facilities–must be framed against a critical issue: Security and IT organizations are ultimately spending other people’s money. “You’re making tough, essential choices on how best to use shareholders’ money,” said Zutshi. “And it’s not just a decision made by the CIO or CISO; all business executives and board members have a fiduciary responsibility to make decisions on cybersecurity spending that help them achieve specific business outcomes.”
And unless you have clear, relevant metrics on the impact of your cybersecurity spending and its alignment against key business goals, you don’t know if your money is well-spent or wasted.
Just like John Wanamaker feared.
Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades