[BreachExchange] How to calculate the ROI of cyber threat defense

[Audrey McNeil]

http://www.securityinfowatch.com/article/12302438/how-to-
calculate-the-roi-of-cyber-threat-defense

As any executive knows, keeping a close watch on the bottom line is a
critical element of ongoing success. For CIOs, CTOs and CISOs, finding a
way to keep costs down while maximizing protection against potential
security breaches is a familiar struggle. The difficulty often lies in the
paradox that exists when one is essentially investing in something that has
not yet occurred. Further complicating matters is the fact that many
organizations are employing a complex multitude of systems, applications
and defense mechanisms which can make establishing quantifiable
return-on-investment (ROI) a prohibitive undertaking.

Yet, the potential financial impact a successful breach can have certainly
justifies the upfront and ongoing expense required to adequately prevent
one from occurring. One only needs to peruse the headlines to see evidence
of how costly a security incident can be – both monetarily as well as
reputation-wise. More importantly, it’s becoming increasingly evident that
no one is safe from becoming a victim of today’s sophisticated online
hackers. Businesses of every shape, size and industry would be wise to take
heed and put the appropriate measures in place to keep their networks and
sensitive data safe from harm.

So how, then, can one effectively capture the return on this important if
not essential investment? Despite the countless news articles and leading
experts predicting the steady and ongoing increase in amount and complexity
of criminal activity online, many key decision makers still insist on
seeing real, measurable results in order to justify the value of having an
established, solid threat detection plan in place. The good news is, with
the right strategy, calculating and communicating this ROI is entirely
possible.

Start with the Basics

Before you can adequately assess ROI, you need to have a clear and
documented understanding of all of the costs and benefits associated with
your threat defense strategy. First there are the costs involved in the
overall cybersecurity plan you have in place (i.e. monitoring systems,
incident response software, IT security personnel, etc.). These expenses
are easily measurable, but if you’re not contrasting them with the right
information, they can easily scare away even the most open-minded board
member.

To balance your expenditure properly, the next calculation will likely be a
little bit more abstract. That is, you’ll need to identify and capture, as
accurately as possible, the costs associated with a security compromise.
For instance, the following factors can and often do influence cost:

Percentage of incidents that lead to an actual breach

Percentage of threats that are major incidents
Average cost of a major incident

Percentage of threats that result in minor incidents

Average cost of a minor incident

Average annual growth of security threats and incidents


At an organizational level, there are additional factors that must also be
accounted for. Ideally, these numbers would be captured prior to
implementing a comprehensive threat management strategy, as this will allow
you to more closely measure the additional savings achieved by the new
strategy, whether it’s adopting better software, deploying automation
technology, or some combination of these.

By way of example, these calculations might look something like this:

Average number of incidents per day
Number of incidents being addressed daily using current resources
Gap between addressed and unaddressed incidents
Number of incidents addressed daily using new incident management strategy

The figures obtained from these calculations will allow you to pinpoint or
at least approximate the amount of money a potential security breach could
cost your organization. With that number in hand, the savings achievable by
avoiding those financial implications can be determined.

Delving Deeper

Another important thing to point out is that the ROI of good threat defense
stretches far beyond the basics covered above. Recognizing these additional
benefits can help strengthen and solidify a case for enhanced incident
management. One area upon which many fail to capitalize, particularly in
terms of justifying potential savings, is in the incident response realm.
Far too often, the focus lies squarely on prevention, when in reality it’s
the remediation that can truly quantify the return.

The truth is, when it comes to security breaches, it’s quite often not the
actual incident that has the greatest impact, but rather the time it takes
to identify, isolate and resolve the issue before it has a chance to cause
further damage. This mean time to resolution (MTTR) is where the true value
of threat intelligence lies.

According to recent reports, the majority of organizations today find out
about a security breach by an external third party, such as their bank or a
government body. The time it takes to identify said compromise averages
somewhere around 320 days. For breaches that are detected internally, this
number drops to around 56 days, which is still a significant amount of time
to allow a successful incident – and the hackers behind it – to have a
field day with your network, systems and sensitive data.

Complicating matters is the speed with which a compromise can occur. One
recent industry report indicates that more than 80 percent of cybersecurity
breaches happen in mere minutes. The vast canyon between compromise and
detection is alarming to say the least and that’s not even taking into
consideration the amount of time it takes to actually recover once a
security incident is discovered.

It is estimated that about 60 percent of MTTR is spent determining the
root-cause of the actual problem. The rest is spent mitigating damages and
working to achieve a complete resolution. When system outages or any type
of downtime is included in this process, you should increase the cost of
compromise accordingly.

The Value of Reducing MTTR

With the right technology – such as IT automation - a significant savings
can be realized in MTTR alone. Calculating this savings involves a two-step
process. Start by determining the total yearly cost of incidents by
applying the following formula:

Number of Monthly Incidents X Time to Resolve Each Incident X Cost of
Personnel Per Hour X 12 months = Annual Cost of Incidents

Keep in mind that the type and severity of incidents will vary, so you may
wish to use this formula to determine the cost associated with each
incident priority level. In other words, your priority one (P1) incidents
will have a different resolution time and associated cost than that of P2
and P3 incidents. Additionally, the costs associated with support personnel
may also vary based on level and skillset. For instance, P1 incidents might
require the expertise of both L1 and L2 teams, so calculate accordingly.

Once you’ve determined your annual cost of incidents, the second step
involves calculating your annual savings. This can be done by using the
estimated percentage of reduction in resolution time that your applied
technology delivers. The formula looks like this:

Annual Cost of Incidents X Reduced Time to Resolution (%) = Annual Savings

On the conservative end, some experts believe the average reduced time to
resolution a good automation tool could potentially deliver hovers
somewhere between 50-75 percent. That means if your annual cost of
incidents is $350,000 you could potentially be saving anywhere from
$175,000 - $245,000 each and every year. There aren’t too many decision
makers who wouldn’t appreciate those kinds of numbers.

For the most part, today’s IT executives are fully capable of understanding
the importance of investing in cybersecurity. When it comes to convincing
others, however, there may be a bit more work involved. Knowing what data
to take into consideration and how to transform that data into quantifiable
evidence can help you better drive home the value of threat detection as
not just an ancillary component of IT, but a fundamental ingredient in the
ongoing safety and success of the organization as a whole.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170208/d1a40daa/attachment.html>