More than just numbers- calculating the real ROI of a good cyber defense system

By
Praveen Yeleswarapu
November 12, 2021

For more context, please take a look at the first article in this series: Mapping your cyber defense strategy

As the world migrates towards digital devices, businesses have witnessed a paradigm shift in the threat landscape. Cyber attacks have become increasingly common and businesses need to pay attention to such new manifestations of corporate threats.

However, when it comes to making a case for releasing funds for cybersecurity, it often becomes difficult to convince the board without numbers. One of the best ways to persuade the board to invest in cybersecurity is through the use of figures that help determine the return on the investment made into cyber defense.

In this article, we discuss the ROI of cybersecurity and how it affects businesses of different scales. 

The cost of doing nothing

Cybersecurity teams are often at crossroads with high level executives and CFOs when it comes to investing in cyber defense systems.

One of the biggest problems that plagues CISOs has always been the difficulty in persuading the board to pour money into cybersecurity, and harder still remains convincing the executives that it makes financial sense.

However, one of the best ways to assure that investing in cybersecurity is worth every penny is to present data to the board clearly defining the potential losses that the business stands to incur should it face a cyber attack. 

Action vs. reaction: cyber resilience posture

Even when cyber attacks are on the rise, most businesses do not consider the investment made into securing systems worth the resources. As a result, more businesses are attacked, thus, creating a vicious circle. Businesses end up spending more money and time in recovering from attacks and rebuilding systems, and this reactive approach is what allows threat actors to exploit gaps in a cyber defense strategy. 

Businesses need to invest in cyber resilience- working with the assumption that an attack will happen, and preparing for that eventuality instead.

Cyber resilience also entails taking action and proactively identifying and eliminating potential threats, as against the current norm which is reacting to the attack and salvaging data that remains afterwards. To achieve this, CISOs need to help business executives understand the ROI of a good cyber defense system.

The investment

Investing in cybersecurity refers to pouring resources into several different aspects of enterprise cyber defense. When boards approve of funds to be deployed into system security, they are used for the following efforts:

  • Installing improved monitoring software and services;
  • Training security personnel on the threat landscape;
  • Deploying teams to actively hunt for cyber threats;
  • Installing alerting systems;
  • Using AI interventions to support the people involved in the function
  • Constant User Trainings and Awareness building exercises

When businesses invest in cyber security they do not seek to get returns in absolute terms- rather the goal is to prevent systems from outside threats, creating a safe environment for the enterprise data.

Therefore, return on investment for a cyber defense strategy is essentially the value of resources protected.

The return

The return on investment for a cyber defense system is not a yield in terms of earned resources.

Instead, it is the computation of the resources that are saved owing the existence of a sound defense system.

To understand the return on investment of a good cyber defense strategy CISOs need to look at two major factors

- the average cost of a breach
- the average number of cyber attacks likely to be faced during a given time frame. 

The average cost of a breach

The first factor when calculating the return on investment of a cyber defense strategy is to assess the average amount of resources that an enterprise bleeds when it is affected by an attack.

CISOs must look at industry peers who have previously been a victim of cyber attacks, and then calculate the average across the industry. This allows business executives to get an idea of what could be prevented through cybersecurity systems. 

The average number of likely cyber attacks

The second important factor to consider is the number of incidents that a business is likely to experience in a particular time frame. This, again, can be done through an industry analysis and study of peers in the industry. The average number of incidents is important to understand the frequency of cyber attacks and how rapidly the threat landscape evolves. 

The metric to be measured

Finally, to get a brief idea of the ROI of a good cyber defense system, we can multiply the average cost of a cyber attack incident with the average number of cyber attacks like to be faced during a given time frame.

The product of the two figures is a representation of the probable loss that an enterprise might face, should it fall victim to an attack. More importantly, the product of the two figures becomes the return on investment made in improving cybersecurity, as the amount of resources saved owing to a sound cyber defense system.

The annual ROI of a cyber defense strategy = avg. cost of a breach X no. of incidents likely in a year

A few other considerations to be added here include:

  • the increasing cost YoY of implementing the strategy, essentially the TCO, OPEX associated
  • the increasing complexity of the threat landscape

Both these costs are fairly straightforward to measure- we may look at the annual cost of the company's cyber posture for the past years and observe the percentage increase in costs. This percentage can be extrapolated for subsequent years to understand how much more the company should expect to spend every year going forward.

Final considerations

Apart from the cost of recovering from an incident and the number of such incidents affecting a business, a myriad of factors also contribute towards the ROI of a cyber defense system. Here are some other factors that psh up the ROI:

  • The average cost of resources spent on PR after an incident to assure investors and customers that the company still remains a viable business and worthy of public trust; 
  • The loss suffered in terms of diluted brand value and diminished goodwill; and
  • The amount of money spent as fines and penalties for failing to protect consumer and investor data. 

Therefore, when calculating the actual ROI of a cyber defense system, businesses must get the product of the average cost of a cyber attack in the industry and the average number of incidents that are likely to be faced, and add it with other considerations, generic or specific to get a clear picture of what the investment in cybersecurity would yield.

The annual ROI of a cyber defense strategy = [avg. cost of a breach X no. of incidents likely in a year] + cost of recovery from a cyber incident - the cost of strategy implementation

For small and medium-sized businesses

SMBs are often plagued with ransomware and phishing attacks, used to exploit money and information out of their systems. Apart from the pressures of an attack, there may also not be enough data to argua a case for good cyber defense.

However, when SMBs are attacked, the damage faced is severely detrimental to the financial health and sometimes the very survival of the organization.

In order to better manage their own risk profile, several large organizations today sign contracts even with the smallest of vendors assigning responsibility for a cyber breach. This is where a good cyber defense strategy becomes vital.

For a small business, the return on investment can be calculated as the number of opportunities gained and served due to a lower risk profile.

For large enterprises

Large enterprises, generally, are attacked with the goal to extract classified information and consumer data. Crown jewels of large companies are invaluable assets and can result in destruction of the enterprise if they fall into the wrong hands. Cyber attacks on large businesses are also an outcome of corporate espionage, meaning incidents being sponsored by competitors in the market. 

When large businesses face cyber attacks they stand to lose immense brand value, market capitalization and customer trust. Therefore, when large enterprises invest in cyber security systems, they prevent spending money on recovering from loss of data and customers, while simultaneously preventing stock prices from crashing in case of publicly listed companies.

In such cases, the greatest ROI contribution comes from the potential costs saved due to no cyber breaches, and the average increase in investment YoY may not be much of a deterrent.

Industry specific ROI of a good cyber defense strategy

The return on investment made in cyber defense is different for every industry and enterprise. Each entity stands to gain something different from investing in cybersecurity. Here are some industries and their ROIs from cyber defense systems:

Healthcare

Healthcare institutions are large reserves of critical patient data and machines that are responsible for the life and death of people. When a healthcare institute such as a clinic or a hospital is attacked by cyber threat actors, it stands to lose not only confidential data on patients containing all manner of personal information, but also the critical equipment that is used to keep patients alive.

Therefore, when healthcare institutes invest in cyber security, they preserve information as well as lives. The ROI then comes in the form of preserved human capital as well as reputation.

Banking, Financial Services and Insurance

The BFSI sector is largely technology driven, with most customers using some form of digital payment tool, investment software or insurance card. The sector is highly competitive and has a very high customer turnover rate. Therefore, when BFSI businesses are attacked, they lose on multiple fronts. Primarily, since these businesses directly involve money, they lose in terms of settlement claims initiated by customers on account of losing funds. Furthermore, they lose in terms of lost customers and dilapidated reputation. 

Therefore, BFSI businesses invest in cybersecurity to preserve their resources, data as well as clients, and to avoid large payouts in cases of a breach.  

Technology

Ironically, technology companies are one of the biggest victims of cyber attacks. Tech companies keep information on several projects under development, important lines of code, information that can be used to access user accounts and other crown jewels.

Therefore, when tech businesses invest in cyber defense, the yield is unhindered growth, protection of data as well as money and time saved in developing damaged projects again. For these companies, the ROI on cyber defense is essentially the savings achieved on cyber insurance as well as the premium paid to ensure unhindered growth.

When CISOs attempt to assess the ROI of investment in cyber defense they are able to identify potential loopholes in the system.

Therefore, businesses need to look at the ROI of cyber defense from a holistic view, and as more of a practice than as a figure.

As businesses grow, they are exposed to an increasing number of threat actors, and in such a data-driven global economy the biggest return on investment is preservation of data itself.