From Cost to Catalyst: Quantifying the Value of Cybersecurity

Em Blog Cybersecurity Value

How do you show business leaders the value of cybersecurity investments? Executives naturally gravitate toward initiatives with a clear return on investment (ROI). But traditionally, cybersecurity has been viewed as a cost center, an overhead, and a necessary business expense.

Today, there is a growing focus on approaching cybersecurity as a profit center, turning it into a legitimate business driver.1 By adopting this perspective, cybersecurity teams become accountable for spending and driving growth. This reset can alter how executives and the broader organization perceive the cybersecurity team, facilitating a security approach that is more closely aligned with overall business objectives.

Dollars and cents: ROI, ROSI, and risk assessment

The value of cybersecurity solutions is undeniable. It’s an investment that can yield dividends in safeguarding assets, ensuring business continuity, and fostering stakeholder confidence. Yet, how can CISOs measure concrete value and show the time and money saved?

While (Gain from an investment – Cost of investment) / Cost of investment is the standard way to calculate ROI, a return on security investment (ROSI) may help analyze value more effectively.

The formula is more nuanced and includes the savings attained (loss prevention) during a cyber incident. Security experts categorize this as an opportunity cost. It’s the costs and benefits of every option available weighed against the others. Considering the value of opportunity costs can guide organizations to more profitable decision making. Here are risk assessments that play into ROSI calculations:

  • Single loss expectancy (SLE): It’s the expected total loss during a single security incident. To calculate this, data must be organized and valued.
  • Annual rate of occurrence (ARO): This is the likelihood of a security incident happening in a given year. It’s determined by historical data.
  • Annual loss expectancy (ALE): A control number that shows what would be lost by maintaining business as usual. ALE=ARO * SLE

The result? A financial calculation that defines the value of a potential investment:
ROSI=ALE * mitigation ratio – Cost of solution / Cost of solution

Let’s take a hypothetical scenario:

Corp A has suffered breaches, and the security team is considering a new cybersecurity solution. The business team isn’t convinced, so the CISO runs some numbers. He estimates there have been about 12 (ARO=12) security incidents per year for the last three years. These incidents seem to cost about $25,000 (SLE=25,000) in data loss, fines, and productivity. The solution is projected to block about 90% (mitigation ratio=90%) of the attacks. However, the costs of the solution are an estimated $60,000 per year. In this scenario, the equation would be the following:

ROSI=((12 * 25,000) * 0.9 – 60,000) / 60,000=270%

The investment in this example of $60,000 per year would save Corp A an estimated $162,000 annually. Simply put, the savings from the acquisition would provide a 270% payback on the security investment.

Let’s face it, the more precise figures presented to leadership, the more buy-in—and funding—security teams can expect.

Beyond defense: The strategic value of cybersecurity

Indeed, cybersecurity investments aren’t simple to quantify. Safeguarding against potential financial catastrophes. Ensuring uninterrupted operational continuity. Enhancing the priceless asset of brand reputation.

While these are valid ways teams measure success, the actual value of these concepts can be elusive. It’s far more impactful to your board of directors to rely on analytics that can be tied directly to numbers your team can control. Provide those by establishing consistent measurements, offering peer comparisons, relating metrics to business outcomes, and quantifying risk.

Investing in cybersecurity is not just about averting threats; it’s about harnessing a strategic asset that aligns with business objectives. The financial benefits, when accurately quantified, are unmistakable. So, don’t wait for the subsequent breach to reassess your cybersecurity strategy. Act now. Invite your team to a discussion, evaluate your current measures, and help your executive team make data-driven decisions prioritizing security and profitability.

  1. SANS Institute, The New Financial Metric for Cybersecurity, March 17, 2023
  2. IBM, Cost of a Data Breach Report 2023, 2023