There’s no ROI in Security. So, How Do You Build a Business Case for Added Investment?
A year ago, we discussed the importance of getting your executive team on board with modernizing your organization’s IT security solutions. We went so far as to recommend specific guidelines that we can all use to make the case for modernizing our organizations’ security tools. One of these key recommendations was to create a roadmap for modernization that the C-suite could clearly understand. As quoted from our blog post:
“Don’t just tell the C-suite what the company should have; draw them a map. Show them how the upgrades and new IT security solutions will be implemented, such as by prioritizing critical upgrades first. The C-suite will want to know exactly how you plan to accomplish upgrading the security and technology of the environment, and the clearer picture you’re able to draw, the more confidence they’ll have in your plan.”
The C-suite saw your point and agreed to move forward? That’s great! But don’t think you’re now off the hook. Executives need to make sure that their investment in these security tools is making a positive impact towards improving their organization’s security posture. Towards that end, you want to demonstrate the return on investment (ROI) for those new products.
That’s easier said than done. In this blog post, I’ll discuss why it’s difficult to calculate ROI in terms of security products. Accepting those challenges, I’ll discuss several ways you can still convey how these new tools are positively contributing to the organization’s security posture.
Why ROI Is Difficult to Calculate in Terms of Security Products
Calculating ROI, at least in theory is pretty straightforward. But not so for security because there’s no return in the form of revenue, which is the data that’s typically used. To illustrate this, check out CA Technologies’ “The Global State of Online Digital Trust”. In this white paper, published for CA Technologies by Frost & Sullivan, researchers found that 27 percent of business executives believed that security investments have a negative return on investment. That is, they lose money. This finding led the report’s authors to conclude that “over one quarter of executives are tone deaf to modern security challenges and data breach implications and have not learned from previous mistakes.” Mistakes indeed. They also learned that three quarters of respondents had at one point been involved in a publicly disclosed data breach.
So what explains why these respondents have such a narrow perspective of security and ROI?
This question received treatment in a 2017 article for CSO. In the write-up, contributor Isaac Kohen noted that security products don’t provide revenue but instead save organizations unwanted costs in the face of a digital attack. So, ROI, which assumes revenue, doesn’t paint an accurate picture. More specifically, he observed that digital security products function under a single opportunity cost, which many in the industry call “loss prevention.” Kohen therefore said that resource preservation and risk mitigation, not increased revenues, should drive the ROI calculation for security investments.
How to Show a Return on Security Solutions
Reflecting on Kohen’s perspective, we’d be wrong to talk to our board about a particular security solution’s ROI. Instead, we want to frame the discussion around how a new security solution helps the organization prevent the loss of money and resources with respect to a variety of business factors.
Here are a few business forces that are particularly relevant both to security and to executives.
- Cloud migration: Many organizations are currently moving to the public cloud or have plans to create a hybrid cloud environment. This decision might support an organization’s digital transformation that streamlines operations and reduces overhead. But as we noted in an earlier blog post, it opens the door to new threats. Not all security controls smoothly apply to both cloud-based and on-premises assets. That’s why it’s imperative to use the proper solutions so that you’re protected across your entire IT infrastructure.
- Persistent skills gap: Having the right types of tools can help you beat the skills gap by doing more with fewer employees. It’s possible to invest in a solution that uses automation, for instance, to reduce the overall workload of a security expert as well as compensate for lower workplace skills and experience. By automatically consolidating alerts together, this type of solution can save security professionals from wasting their time investigating isolated alerts and free them to concentrate on more important tasks. In addition, network security tools that can detect malicious lateral movement can inform existing perimeter security solutions, improving their effectiveness and further decreasing workloads by automating response.
- Changing data protection laws: As we probably all know by now, many of these new data protection regulations come with some hefty penalties for noncompliant organizations. British Airways could tell you what it costs to not comply with GDPR. At the same time, individual states are passing their own regulations, such as the California Consumer Privacy Act (CCPA) and New York State’s SHIELD Act, that come with their own penalty schemes. These laws all highlight the financial incentive we have to invest in robust security products that help us maintain compliance.
- Breach consequences for investors: As we recently noted in a blog post about the C-Suite’s responsibilities when it comes to a breach, public criticism or a sense of personal responsibility sometimes drives executives to resign following a data breach. This can produce a spiral effect in which your profits take a hit due to a hefty fine, which means you must divert funds to other areas to support those costs. With less investment in R&D and marketing, among other areas, your reputation suffers as you lose a competitive edge. This can subsequently hurt investors, as was the case in Capital One and Equifax following their respective security incidents.
The Way Forward
Ultimately, organizations can’t convey ROI for security products in a traditional sense. They need to frame new security investments in terms of loss prevention, as the above recommendations illustrate. Towards that end, it’s important to look for sophisticated solutions that can address these business challenges. For example, a solution that reduces the workload on the security team (such as by minimizing false positives and consolidating isolated alerts into context-rich incidents that speed remediation), decreases the impact of the skills gap, and means IT resources can be allocated to more strategic business goals, such as migrating to the public cloud.