Defend what’s most valuable to your organization by speaking the C-suite’s language. You must demonstrate what’s worth defending and the impact of defending or losing those assets.
As an IT professional, it‘s easy to see the benefits and need for strong security practices within a business. The rising costs of cybercrime damage are expected to hit $6 trillion annually by 2021. And just last year, global ransomware damage costs were predicted to exceed $5 billion.
Despite the ominous state of cybercrime today, pitching your finance and executive teams on security measures is not always simple. Research shows that IT decision makers and the C-suite are on different pages when it comes to their security investment, and money is likely to be spent elsewhere.
In order to successfully refocus funds on critical security measures and infrastructure, you must be able to provide a clear return on investment (ROI) to justify the costs. Many people aren’t sure how to perform this cost analysis, and that’s what we’d like to help you with today. Let’s break down the costs vs. the benefits of data security in detail using the ROSI (Return On Security Investment) formula. But first, let’s explore what a security breach costs overall.
The True Cost of a Security Breach
Before we can understand the value of spending money on security, we need to understand the detrimental cost of a security breach and its aftermath. In the event of a breach, expenses will include ransomware response, recovery and operation resumption. If you’re like most businesses, you don’t have a large security response team that’s readily available, so you may need to hire outside experts.
According to IBM and Ponemon Institute, the average cost of a data breach across the globe is $3.86 million, with a value of $148 per record (on average). This includes costs of paying the ransomware itself (if you pay), as well as the cost of lost or corrupted data. There is also the cost of downtime during and after a ransomware attack that affects your business operations. You can see how these costs can quickly add up, even into the millions.
A recent article by CSO provides some insight when they describe what happened to the Erie County Medical Center. The hospital spent $10 million in 2017 combating an attack involving a $30,000 ransom demand. Half of that amount went to IT services, software and other recovery-related costs. The other half was split between staff overtime, lost revenue and other hidden costs. But it didn’t stop there. In order to keep their security updated to combat future attacks, the medical center spent thousands more upgrading their technology.
Unfortunately, many businesses are unable to bounce back. When comparing the cost of preventive security measures to the cost of recovering from an actual breach, making the investment is a clear choice.
Calculating the Return on Security Investment Using the Investment Formula
According to Security Intelligence, there are certain things executive decision-makers will want to know in regards to overall costs vs. value. Some of their questions may revolve around the price of security as a whole, the effect that security has on current organizational productivity, and the potential impact of a catastrophic security breach. The only way to answer these questions is by calculating the ROSI using a special formula.
This formula includes two main components: The cost of the security solution plus the annual loss expectancy (ALE) derived from risks. It is calculated like this:
ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution
Let’s break down the components, starting with the ALE, or the annual loss expectancy. The ALE is defined as the total financial loss expected from security incidents. Also known as the control number, the ALE shows the amount of money that is lost without a security strategy.
By the way, if you’re wondering what’s at stake to lose, consider that data is extremely sought after these days. Of course, not all data is equally as valuable; customer information, credit card information, proprietary data and finance documentation, for instance, should be highly safeguarded. On the flip side, marketing documents do not need the same level of protection.
The ALE is then calculated by multiplying the ARO or annual rate of occurrence by the SLE or single loss expectancy. The ARO is decided by you based on the company’s history and past occurrences. In short, how likely is it that there will be a security incident that affects your most critical data sets? This is something that your security team should document and examine on a regular basis. The SLE is a total loss from one security incident, also defined by you.
The last component, called the mALE is simply the ALE plus the savings you will experience after the security strategy is in place. Let’s go over an example of this equation to see it at work.
You have a total yearly investment of $50,000 to recover 10 security events and they happen to result in $15,000 in loss. Your software vendor’s solution will deter 90% of all incidents. The ROSI can be calculated as follows:
ROSI = ((10 x 15,000) x .90 – $50,000) ÷ $50,000
ROSI = 170%
According to this equation, your ROSI would amount to about $85,000 annually.
Although it is almost impossible to predict the future, you can calculate your ROSI to jumpstart your security strategy efforts, and let the numbers do the talking. Rounding out your pitch with a well thought out return on investment may sway executives and stakeholders in the right direction. It’s always a good idea to use examples from the real-world; gather historic data from your industry if it’s available, as well as from instances within your own organization.
An outside opinion may also be helpful during your pitch, especially when recommending specific solutions, such as firewalls, vulnerability scanning, encryption and so on. OnRamp is available to help you answer the difficult questions surrounding your security strategy and can explain the value it brings to your entire organization. Give us a call to see how we could be of assistance to you and your organization.