There is Such a Thing as Security Return on Investment: Well, Sort of

Posted on by Gib Sorebo

Having spent a fair amount of time with critical infrastructure operators, I’ve gotten used to the groans and eye rolls I receive when I try to explain why they need to spend more money on cybersecurity. Whether it’s to satisfy a compliance requirement or to reduce the risk of a cyber attack by some incalculable amount, the common perception is that we’re getting in the way of a profitable business. “All this effort without generating a single megawatt of power” was one operator’s lament. And I can certainly sympathize with that feeling. Nonetheless, it’s undeniable that critical infrastructure is under attack either because of the business they’re in or because, like all businesses, they have a ton of personally identifiable information that would be profitable to identity thieves. But our track record at telling operators just how much cybersecurity tools and talent they need and how much their risk will be reduced is questionable at best. 

Instead, part of the answer may be to embrace the mundane. Focus part of our attention on all the cybersecurity tasks an operator has to perform based on regulatory requirements or consensus in the industry. As I noted in a recent blog post, much of cybersecurity is like washing hands in healthcare. It’s boring stuff that people just need to do. But that doesn’t mean we can’t do it more efficiently. 

As you wander across the expo floor at RSA Conference this week, don’t just focus on all the advanced analytics and behavior-based detection tools to combat the latest threats. Those are often fun and deserve some attention. But also look for the tools that can automate some of those boring tasks, or even outsource some of them to providers with greater scale and efficiency.

When it comes to corporate politics, the name of the game is managing expectations. If the expectation is that NERC CIP* compliance will require a $5 million budget, and you do it for $4 million, you just saved the company 20 percent. The problem is that we often do a horrible job of managing expectations. Senior management often feels that any cybersecurity spending is an extra cost that reduces profits or drains money from more worthwhile programs. By managing expectations, this could be turned into a “savings.”  For example, one of our customers calculated that every time an endpoint got infected with malware, it cost about $4,000 in both IT labor and lost user productivity to re-image the machine and other associated activities. Reducing the imaging time by investing in a more automated solution is real savings because endpoints are constantly being infected. It’s not simply a risk avoided.

The show floor is full of such opportunities. Companies like Resilient Systems, Syncurity, Cybersponse, and FireEye’s Invotas offer opportunities for automating the incident response process. Patch management solutions like IBM’s BigFix, Symantec’s Altiris, and Tanium offer options for remediating vulnerabilities quicker and more cost effectively. Governance, Risk, and Compliance (GRC) platforms like RSA’s Archer, Modulo, and RiskVision offer better visibility of processes, assets, and performance.

That said, the devil is always in the details. Many of these automation solutions may require a fair amount of customization. For some the cost of configuring and customizing it to fit an individual enterprise may cost five times or more than the price of the tool. However, that shouldn’t dissuade a further investigation. Moreover, customers need to demand more. As concepts like DevOps and Software-as-a-Service proliferate, product vendors should be able to offer more options that are a better fit for an industry or business model. As things stand now, many vendors are pushing too much cost to the customer. Some are relying on too small a customer base and end up dumping those costs on the early adopters. They and their investors need to be committed to the long-term.

Demand to see an ROI model appropriate for your environment. And sometimes the simplest solutions are the best. Using cloud models, the most basic widget can be developed and deployed at little cost and sold like a mobile app. One of our partners offers a basic Payment Card Industry (PCI) vulnerability scan and report for $49.95 per year. Most cybersecurity solutions do cost more, but the cost should be commensurate with value. And if the aim is greater efficiency, the ROI should be clear. Don’t forget that you don’t have to do everything yourself. As the cybersecurity skills gap grows, the business case for cybersecurity service providers grows as well. Whether it’s managed security services for 24x7 monitoring or engineering services to get one of these automation solutions off the ground, the outside services can often offer a lower total cost if done right. But that means holding them accountable as well with a proven ROI model upfront and service level agreements that enforce it. As you walk the floor this week looking for tools and services to automate and reduce costs, you should:

  1. Ask vendors how their product or service reduces your total cost of ownership (Hint: Reducing risk is not the right answer for this family of products and services)
  2.  Ask to see an ROI model appropriate for your industry that includes hardware, software, and implementation costs
  3.  Look for examples of how savings were achieved
  4.  Ask whether they can offer assurances of cost savings such as shared cost models where refunds are given if savings are not achieved.  Expect to hear no for now, but performance-based models exist in many industries, so why not security?

 *NERC CIP = North American Electric Reliability Corporation Critical Infrastructure Protection

Gib Sorebo

Security Associate Director, Accenture

Business Perspectives


Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community