Dear CISO, What is the ROI of our investments in cybersecurity?

Dear CISO, What is the ROI of our investments in cybersecurity?

For many CISOs, “what is the ROI of our cybersecurity tools?” is one of the most difficult questions they face during a board meeting. While it should be a simple question, it’s not an easy one to answer. CISOs can often go astray and use operational security metrics, such as mean time to patch. However, board members and senior leaders have a poor understanding of operational security metrics trying to understand what measures the organization is taking to reduce risk and the effectiveness of those measures. This is essentially the definition of security ROI: the reduction in risk (in monetary terms) as a result of investing in a security tool.

Improve collaboration with your CFO and other leaders

Being able to measure and report security ROI allows you to collaborate with your CFO. With ROI metrics in hand, your CFO can help you better communicate the value of existing and future security investments to the board of directors. ROI metrics also facilitate discussions with IT and other business owners to obtain the necessary resources to implement and maintain security tools.

The calculation of the return on investment

One way to demonstrate the ROI of a security investment is to calculate the default risk reduction in monetary terms. The risk of default is equal to the probability of default (%) multiplied by the impact of default ($). For example, the likelihood of breach could be reduced by investing in a browser isolation solution to reduce the risk of phishing. Similarly, an investment in backup software could reduce the impact of the breach by allowing you to protect your assets from ransomware, quickly restore encrypted malware, and avoid paying a ransom.

An example

Let’s look at an example of how to calculate ROI for a security control such as an endpoint detection and response (EDR) solution, which reduces the probability of breach by providing improved visibility into attacks on your endpoints and faster response times. rapid. In this example, you are considering increasing the number of EDR licenses (currently used to protect your laptops) in order to protect a critical group of servers. If the cost of the additional licenses (including deployment) is $200,000 and the reduction in noncompliance risk is $2 million, you have a 10x ROI.

Asset visibility is necessary to provide business context to security ROI

Having established the importance and methodology for calculating the ROI of security controls, there are prerequisites to being able to do so. For example, you must have a good inventory of assets. Specifically, you need to understand where a security control is implemented and the context around the assets that your controls protect.

You must also be able to calculate the impact of the breach. The impact of the breach can be determined by examining the type, role(s), access, users, and other attributes of each asset. To assess the business criticality of an asset, you must consider the inherent (eg, asset category, business unit) and contextual properties of the asset (eg, features, applications, user privileges, and interaction with other assets) . For example, the impact of the breach is significantly higher for central servers containing sensitive data than it is for personal smartphones hijacked on your guest network. Similarly, an attack on your company’s source code repositories is likely to have a bigger impact than the guest check-in kiosks in your building’s lobby.

Unfortunately, many organizations have no idea what assets they have in their environment, or the business importance of those assets.

Balbix security checks ROI calculator

At Balbix, we are committed to solving our clients’ pain points, especially those that define their career. That’s why we’re excited to announce the availability of the new Security Controls ROI Calculator.

With our security control ROI calculations, you’ll be able to demonstrate the impact of your security controls in reducing risk, expressed in monetary terms, to your CFO, board of directors, and other senior leaders.

Balbix measures and reports on risk reduction due to changes in its security controls

Unique ROI based on a robust default risk calculation

Balbix calculates the risk reduction of security controls by determining the effectiveness of your security controls in reducing the risk of non-compliance. ROI calculation is currently available for endpoint security tools.

To get started, Balbix gives you real-time visibility into the security controls in place across your assets, automatically identifying all of your IT assets, including desktops/laptops, smartphones/tablets, IoT/OT devices, servers and workloads. cloud work. More than 400 attributes are assigned for each asset, including the security controls implemented.

Example of inventory of security controls by Balbix

Balbix then determines the probability of breach by considering four critical factors: vulnerability severity, threat level, asset exposure, and security controls. This compares favorably to other vulnerability assessment products, which only consider two risk factors to determine the probability of breach: vulnerability severity and threat level.

Balbix is ​​able to consider the additional factors because, unlike other providers that only provide a CVE-centric risk model, the Balbix risk model also provides an asset-centric view of risk. In parallel, Balbix calculates the impact of the breach by evaluating the business context of the underlying asset and the data being protected.

Balbix then allows you to measure and report changes in non-compliance risk (in dollars) due to the implementation of your security controls and combine that with your cost information to calculate the ROI of changes to your security controls.

Be Prepared to Answer Other Difficult Questions

While it’s important to answer questions about the ROI of your security program and the tools you’ve put in place, you may well have other tough questions at board meetings. Questions like:

  • Do we know what our risks are?
  • Do we know which assets are most at risk?
  • Which business units are most at risk?

To see how Balbix can answer these questions and more, schedule your cyber risk quantification demo today.

Leave a Comment