How to show an ROI on cybersecurity spends

It’s not easy to justify cybersecurity spends based on financial gains. Read tips on how to improve the odds.

fundign.jpg

anyaberkut, Getty Images/iStockphoto

One of the toughest jobs that cybersecurity professionals face is convincing C-suite executives there is an actual Return On Investment (ROI) from cybersecurity spends. There are ways to eliminate the ROI disconnect between the C-suite and the IT department, says the author of the Hitachi Systems Security blog Cybersecurity Budgeting 101: How to Optimize Your Security Spend for Maximum ROI.

When it comes to seeing an ROI, the author writes:

“With security spending on the rise, IT and security professionals find themselves confronted with the latest and greatest security tools, technologies, and services that supposedly help protect their organization’s critical assets. More often than not, ‘figuring out a cybersecurity budget is often a mix of emotion and guesswork.'”

While working through a budget for cybersecurity, the article suggests asking the following questions:

  • What is the spending for? 

  • What is the spending limit?

  • How will the spending’s effectiveness be determined?

The author of the Hitachi post, realizing the questions are somewhat nebulous, published how they would answer the above questions.

SEE: 2021 IT budget research report: COVID-19’s impact on projects and priorities (TechRepublic Premium)

Know what you are trying to protect and why

More about cybersecurity

It seems more than a few organizations implement security measures and strategies without taking stock of the company’s digital assets. That leads to being unsure what needs protecting and what’s critical for ensuring continued business success. 

If an internal inventory is out of the question, the article suggests that getting “A cybersecurity assessment from an independent security expert can help figure out what exists, where to start, and how to reach company goals.” 

Put simply, understanding why a security spend is needed will help legitimize the expense, avoid wasteful spending, and make better decisions.

Define your risk appetite

The Institute of Risk Management defines risk appetite (in part) as, “The amount and type of risk that an organization is willing to take in order to meet their strategic objectives.” 

According to the author of the Hitachi post, this means security-spending decisions should be guided by:

  • How much risk decision-makers are willing to take;

  • What the business impact of a data breach would be; and

  • What it will cost to achieve adequate data-protection measures.

“Your organization’s risk appetite will have to be discussed and defined in collaboration with your executive management team, Board of Directors and other key players as necessary,” explains the post. “Once properly defined, your risk appetite can guide your team in setting clear objectives that will support your vision and are in line with your risk tolerance.”

SEE: Risk Management Policy (TechRepublic Premium)

Align your security spend with potential losses

Interestingly, the article suggests something often overlooked by IT departments, but not by those occupying the C-suite. “One of the core principles of effective cybersecurity budgeting is making sure the amount spent on cybersecurity does not outweigh the potential monetary impact a cybersecurity incident may have,” writes the author. “In other words, don’t spend more money trying to protect something that would cost you less to lose.”

Beware of promising security technologies

It’s not difficult to see it’s a seller’s market when it comes to security technology. Security Information and Event Management (SIEM) software is singled out as a technology to be leery of. The article’s author notes, “It (SIEM) is often costly to acquire and even a bigger hurdle to configure and maintain.”

When deciding whether to keep your security operations in-house or to outsource them, company size is obviously important. Enterprise-sized companies will have internal resources, time, and budget to deal with security on their own. It might be best for smaller companies to contract with reputable security-service providers who have expertise and are up to speed with current conditions and security threats. 

SEE: How to handle cybersecurity amid a tight IT budget (TechRepublic)

Measure the effectiveness of your security strategy

Lord Kelvin (William Thompson) has been loosely quoted as saying: “If you cannot measure it, you cannot manage it.”

According to this State of Cybersecurity Metrics Report, most organizations fail to measure the effectiveness of their cybersecurity platform with regard to industry best practices and performance indicators. The Hitachi article’s author suggests that, “Before investing portions of your budget in cybersecurity tools, have the capability to measure their effectiveness once they’re implemented in your organization.”

Key takeaways

The article concludes by acknowledging there is no golden rule for cybersecurity spends. The author offers these final tips:

  • Cybersecurity spending ultimately will be judged on its relevance and effectiveness.

  • Focus on what matters to the business, and the maximum ROI will follow.

It is important to understand that cybersecurity is a human issue, not a technical one. Cybersecurity needs are as individual as each business and only optimized via intervention by human experts. 

Also see