Return on Investment (ROI) in the context of cybersecurity measures is a hot subject. Which makes sense, as technology providers don’t want to position cybersecurity as a cost with no return. But how accurate is that discussion?
Return on investment is originally an economic concept. You invest a sum of money, and you want to know whether the return is positive. If a new production line for plastics costs 15 million dollars, and you recoup it within four years, it is probably a good decision.
The return of cyber investments is to reduce the likelihood that you will face potentially disastrous losses.
With cybersecurity investments, the costs are easy to specify, but the return is less easy to determine. This is because the return is largely expressed in the prevention of damage by ransomware, data theft or sabotage. Thanks to all kinds of international studies, we have a better idea of what the financial impact is of a cyber incident, even specifically per industry. It ranges from hundreds of thousands to tens of millions.
A return you can’t see or touch?
The return of cyber investments is a reduction of the probability that you will face potentially disastrous losses. The combination of the statistical probability and the return that something does not happen feels completely different from the profitability of a new production line, which produces tangible goods.
Cyber investments seem partly akin to business insurance, where you also make calculated anticipations of risks whose likelihood of occurrence you cannot 100 percent control (but without up-to-date fire prevention, you are being irresponsible).
Another important aspect of cyber investments is that, practically speaking, they are partly mandatory, just health & safety measures or emission-reducing techniques. Standards like ISO, PCI or HIPAA are not optional for organizations, and require investments regardless of the return.
‘Better security makes businesses run faster’
All of this means it’s no wonder that the cyberindustry increasingly wants to frame the return in positive terms as well. “Better security makes business run faster”, says the CISO of the financial giant Charles Schwab. Whoever can produce an innovative app that is state-of-the-art secured the fastest, can gain valuable market share.
Those who can keep effective cybersecurity measures in step with much-needed digital transformations in primary processes can stay ahead of the competition. But again, it is not easy to put a monetary value to that contribution of cybersecurity and thus easily make the ROI calculation.
So, are we completely in the dark and is cybersecurity a bottomless pit with no tangible returns?
So, are we completely in the dark and is cybersecurity a bottomless pit with no tangible returns? Fortunately, that’s not the case, and there are many practical starting points for having a proper internal ROI discussion in board rooms and executive meetings.
The percentage level of cybersecurity budgets versus total IT spent of organizations similar to yours can be a good starting point. One other fact is also indisputable: doing nothing is not an option, or you will be the victim of a cyberattack within days or even hours.
You will have to establish a relationship between investments and maximizing the reduction of the risk and impact of a cyberattack. That’s the key payoff in the ROI discussion. A cyber strategy like Zero Trust can help you demonstrably reduce risk and impact. For an example, look at the recent Ponemon study on the financial impact of Zero Trust.