Cyber security measures are invaluable. However, the return on investment (ROI) doesn’t always communicate this. In fact, even IT security experts have difficulty measuring the ROI of their product.
A survey run by the Infosecurity Europe 2016 summit revealed that the majority of cybersecurity professionals measure the ROI on less than 25% of what they spend on security.
Our research revealed that many organizations struggle to accurately measure the return on IT investment and have little confidence that the money is being used effectively. This lack of accountability creates a gap between the security team and the c-suite, leaving the organization vulnerable. – Gavin Millard, EMEA technical director, Tenable Network Security.
Part of the problem could be that IT security investments are investments in protecting from loss; if they’re working properly, the effect would be seen in maintained company value.
Can You Measure the Value of Security?
ROI might not be an accurate term for the value of IT security, but that won’t stop company directors from asking for it. One way to determine the value of your security is through a method called annualised loss expectancy (ALE).
ALE is done by calculating the cost of a security breach. The average cost of a cyber breach to a small company costs £90,000, and this is multiplied by the chance of being breached in a year; in the UK, 60% of small businesses experienced an attack. This means that a small business in the UK should feel comfortable spending £54,000 on IT security each year.
Keep in mind that there is no point in spending £54,000 on IT if it isn’t enough to protect you. This is another problem with determining the value of IT security. If you don’t have the best, you’re more likely to be hacked, meaning you’ll have to spend more on that security to prevent a loss that might, ultimately be less than what you’re spending.
So Why Invest in Security?
The security team needs to understand the business needs of the organization, define and map security requirements based on those needs, collect relevant metrics and measure their success…. This is one of the best ways to not only demonstrate the value of IT, but also ensure security across the entire IT environment. – Millard
Collecting metrics may not be the most effective way of measuring ROI, and certainly isn’t the way it’s done on other investments. However, the alternative is turning off your IT security and seeing how much value your company loses. The American National Security Agency has determined that during a breach of security, victims of a cyber attack can lose up to US$40,000 per hour.
Like we said, though, it’s difficult to figure out how much to spend on adequate security without wasting money. That’s where the experts come in.
IT experts find it difficult to determine ROI on security because ROI has no place in the context of security. No-one invests in cyber security because of its famed returns; they do it to avoid losing their ROIs on other investments. Figuring out the right price of this security is our job; we come up with protection plans that not only match your budget, but your business requirements too.
If cyber security ROI is important to you, or if you’d like our help setting up a cybersecurity system, then please get in touch.