Cybersecurity ROI Is a Measurable Metric – If You Know What to Measure

ROI – return on investment – is the bedrock of business. How much are we spending? How much are we earning? Where can we maximize production, cut costs, increase profits? It's a theme that is implicit – if not explicit - in almost every meeting that takes place in an organization. 

Except in the IT department, when the issue of cybersecurity spend comes up. What's the ROI on the $2 million super-sandbox we installed? How many potential attacks did our spiffy new cybersecurity system prevent? Is there a way to quantify how much security we're getting for the amount of money we're spending? 

Maybe there is, but for most businesses, getting the answers may be more trouble than the effort is worth. Instead of trying to figure out if the money you spend on a cybersecurity system was worth the cost, why not spend that money on a system that prevents attacks in the first place – which can provide a definitive ROI measurement, by keeping malware out of a network or system altogether.

Determining true cybersecurity ROI involves not only measuring attacks that were mitigated, but also which attacks might have happened, but didn't because of the presence of a cybersecurity system.

At a 2017 MIT symposium, Christopher Porter, Vice President and CISO at Fannie Mae, said that it could have spent $20 a year to protect the accounts of a million customers, but didn't because of the presence of a cybersecurity system, the firm has already saved $20 million.

Then, you figure out how much it would have cost the firm to settle with customers if those accounts had been breached, and “figure in things like legal fees, and you can start estimating it,” he said.

Maybe they have time for that kind of deep-dive analysis at Fannie Mae, but certainly most mid-size, or even large companies are not going to do that. For many, the decision to spend on cybersecurity is reactive; if ransomware is a threat, we need a system to defend against it. If cryptojacking is prevalent, we need a way to prevent that. The systems may very well do the job, but breaking down the cost of those multiple security systems (some companies may have dozens!) in terms of their effectiveness is far too Sisyphean a task for most accounting departments. 

There's a much easier way for firms to figure out if they are getting their money's worth. The most important statistic that organizations – and especially IT departments – need to keep in mind is that phishing attacks cause as much as 95% of security breaches. Prevent the breaches associated with email phishing campaigns, and you have a clear measure of value for money.

Following that principle, then, the most effective thing – from a cybersecurity and ROI point of view – that a company can do is invest in systems that can prevent and mitigate such attacks. As most of the malware threats in phishing scam messages are in attachments included in those messages, it stands to reason that installing a system that can scan and screen attachments would be the best way to go.

That eliminates several popular solutions, like anti-virus systems, which cannot protect against zero-day attacks, and sandboxes, which require time, computing power, and administrative attention – so what we save in deployment, we will lose in productivity, making the ROI of sandboxes much less effective.

For maximum return on investment, the system a company installs should be able to examine the content of attachments and remove the code that could spread malware on a system.

Malware is often spread via javascript code or a macro in an attachment, which activates itself when the attachment is opened. Given the sources of malware (email attachments), the security system a company installs should be the one that is most effective at examining attachments and removing offensive code – but without destroying the attachment, as that may even be legitimate that somehow got infected by a hacker, and which might contain information an organization needs.

A system that can strip that attachment of its bad code – guaranteeing the elimination of the most common method of hacker breaches – while ensuring maximum productivity by keeping attachments intact will, I believe, enable an organization to confidently declare that yes, we are getting our money's worth on our cybersecurity spend.

What’s Hot on Infosecurity Magazine?