Calculating and Communicating Cybersecurity ROI
Communication gaps between CISOs and their boards push cybersecurity investments down the priority list. Although things are changing, few board members have strong backgrounds in IT and cybersecurity. The board understands how to evaluate and make business decisions but lacks the experience to assess the value of cybersecurity spending.
CISOs are better off speaking the board’s language by presenting cybersecurity’s return on investment (ROI). Not only will their projects have a better chance of approval, but CISOs will also improve their communication of cyber risk throughout the organization.
How to Calculate ROI for Cybersecurity
Traditional ROI calculations measure the profits investments could make relative to the investment costs. ROI lets decision makers evaluate options and choose those that could have the most significant business impact.
Cybersecurity ROI calculations are not based on profits. Instead, CISOs must justify their investments based on cost avoidance or risk reduction.
Here's a simple ROI formula:
ROI = (current annual incident cost - expected annual incident cost - investment cost) / investment cost
At a minimum, the incident cost reduction must cover the investment cost (i.e., ROI must be greater than or equal to zero). In most cases, the ROI would need to yield long-term savings.
A drawback to this simple formula is that it only works for existing, recurring incidents, such as the cost of clearing malware from end-user devices. This approach may also encourage an overly-tactical view of ROI. Device protection has bigger-picture implications for the organization’s security.
Calculating cybersecurity ROI based on risk reduction is a better approach focusing on what matters to the business—and the board. The formula itself looks similar:
ROI = (current risk - expected risk - investment cost) / investment cost
Note that expected risk is determined by the cost of an expected risk times the likelihood (or percentage) of that risk happening.
Of course, this simplicity hides much complexity. Getting to the final number requires careful monetization of cybersecurity risks.
What to Include in ROI Calculations
To begin using ROI as the basis for justifying cyber investments, CISOs must quantitatively estimate the risks their businesses face.
Some estimates are straightforward based on outside analysis or internal measures. The average data breach cost in the United States is more than $9 million. Even low-impact but high-frequency events, such as forgotten passwords, are expensive. Password resets account for nearly half of IT help desk costs at large businesses.
Other estimates are more challenging to measure quantitatively. A qualitative risk assessment, for example, may ask workgroups whether downtime of a web application would have a high, medium, or low impact on their jobs.
To fully calculate ROI, however, CISOs must monetize these non-numerical ratings, such as by estimating the workgroup’s unproductive labor costs during a server outage.
Once the cost of a cyber risk fully reflects its financial impact, CISOs can make better ROI calculations. Even then, each risk calculation will use different contributing factors, which may include:
Incident response costs.
Business impacts, both direct and indirect.
Legal and regulatory expenses.
Recovering lost goodwill.
Benefits of Quantifying ROI
Although getting to the final result can be challenging, quantifying the return on cybersecurity investments offers significant benefits.
Improves CISO-Board Communications
Awareness by board members of cybersecurity and its impacts may be growing, but few board members have much expertise in the field.
Financially presenting cybersecurity investments allows the discussion to proceed in terms board members understand. Better communication between CISOs, the C-suite, and their boards yields better decisions faster.
Reinforces Cybersecurity’s Value
Discussing cybersecurity investments in terms of the returns they generate helps to level the playing field with profit-generating investments.
Board members and the C-suite can evaluate a CISO’s proposals using the same considerations for business risk and opportunity they apply to the rest of the business.
As a result, cybersecurity’s place in the company’s priorities rests on a more solid foundation.
Prepares for Regulatory Scrutiny
New rules proposed by the SEC will make a company’s cybersecurity decision-making more visible. In addition to faster disclosure of material cybersecurity incidents, these rules would require companies to disclose:
Policies and procedures for identifying and managing cyber risks.
Whether strategy, financial planning, and capital allocation consider cyber risks.
Cybersecurity expertise among board members and management.
How the board oversees cybersecurity risk management.
What role management plays in assessing, implementing, and managing cybersecurity risk.
Investors and regulators will want to see robust risk management processes as they evaluate this new information. Using ROI as the basis for prioritizing cybersecurity investments will reinforce investor and regulator confidence in the company’s governance.
Things to Consider
There is no one-size-fits-all method to calculate returns on cyber investments. Risk tolerance varies from company to company, and so does cybersecurity ROI calculation. The returns on any investment will depend on each company’s context, including:
Nature of the business.
C-suite and board risk tolerance.
Third-party risk exposure.
State of the security infrastructure.
Security culture within the organization.
Two Tips to Communicate ROI to Your Board and Organization
Here are two ways ROI calculations let CISOs communicate the benefits of cyber investments throughout the company, from the board down to frontline employees.
Boards need to base the decisions they make on strong financial fundamentals. Without IT and security backgrounds, however, board members cannot tell whether a cybersecurity ROI calculation is sound.
Before moving to ROI-based discussions, the company’s CISO, CIO, and CFO must agree on measuring cyber risk and calculating investment returns. The three executives need to hammer out a consensus methodology together.
A consensus among the company’s technical and financial experts inspires confidence among board members that, even if the three executives disagree on priorities, the board can make decisions on a solid financial basis.
Reinforce a Security-First Culture
Leveling the playing field between cybersecurity and other investments will affect everyone in the organization.
The importance of security in business decision making becomes clear as managers and supervisors see cybersecurity projects approved based on the same ROI justifications their departments make. Moreover, security considerations become easier to introduce earlier in planning processes.
Frontline employees are more likely to accept changes presented within a business context. Rather than imposing yet another generic online training course, security teams can explain how much cyber risks could cost and what role employees play in reducing those risks.
Measuring Cybersecurity Risks With Drata
Automating compliance and risk monitoring with Drata expedites security reviews and streamlines compliance certification while improving your security posture. Our customers quickly see significant returns on their Drata investments.
Schedule a demo to learn how Drata makes compliance more efficient.