How to Calculate ROI on Cybersecurity Investment
By Tom Kellermann, CEO, Strategic Cyber Ventures
As a Chief Information Security Officer, you have the unenviable responsibility of presenting cybersecurity investment plans for the future while facing scrutiny of such investments from some stakeholders and pressure to cover all of the “what if” scenarios from the rest. One of the most difficult aspects of presenting cybersecurity investment projects is the difficulty in estimating a credible return on investment without fear mongering. Using the ROI equation outlined below, you can shift the focus from solutions that maximize brand protection, and start bringing stakeholders on board your initiatives today.
Major breaches over the last several years have forced organizational leaders to acknowledge the importance and responsibility of securing their respective networks. While avoiding a breach of the network may be the best measure of success, leaders would be wise to make the assumption that threat actors are already lurking within the network. Gone are the days of smash and grab cyber burglaries. After penetrating a network, a cybercriminal must explore the assets to determine where valuable information resides – and that exfiltration process takes time.
According to Verizon’s Data Breach Investigations Report (DBIR), 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The DBIR noted that it took months for organizations to respond to a breach. The time in which attackers preside in a victim organization’s network is referred to as “dwell time.” As we collectively review how well our cybersecurity countermeasures have performed within the enterprise, we must take into consideration how well they have decreased the dwell time of attackers. This is a significant metric that should be tracked by every CISO.
“Gone are the days of smash and grab cyber burglaries.”
The Ponemon Institute has done some of the legwork in its recent report by drawing an association between dwell time and ROI. They have calculated that U.S. organizations pay around 4 dollars per customer post breach. In terms of brand, the report takes into consideration customer turnover, amplified customer acquisition efforts, and general “reputation losses and diminished goodwill.” According to the report, the factor that has the largest overall impact on cost is the time it takes to identify and contain a data breach.
Immediately following a breach, the first costs include the hiring of a third-party firm to provide a go forward path for the organization. Next, the victim organization must hire another third-party to conduct a full investigation to determine the total breadth of the damage. The communications and customer outreach efforts, needed to convey transparency and provide a public update, also require significant capital expenditures and often another third party. Of course, there are also the long-term costs associated with legal representation, settlements, and fines. According to Ponemon, the retention of customers is what contributes the greatest expenses: “The biggest financial consequence to organizations that experienced a data breach is lost business…organizations need to take steps to retain customers’ trust to reduce the long-term financial impact.”
In order to calculate more concrete costs built upon those notions and ultimately determine a ROI of our forthcoming cybersecurity investments, we can start with real costs associated with customer churn and elevated cost of customer acquisition and retention. While the cost “X” to acquire a customer is different for every organization, we do know that “X” increases significantly when the company develops a bad reputation. Moreover, retaining existing customers is costlier as breach-related churn is calculated around 2.9% in the United States. Variable “Y” represents the cost of churn avoidance. The “Z” value represents the loss of competitive advantage in instances where the adversary manages to exfiltrate not only customer data, but trade secrets successfully. Lastly, value “Q” provides a variable associated with the turnover of personnel, assuming that certain organizational team members were terminated.
Given the different size, industry, and magnitude of the breach, the multipliers associated with X, Y, Z, and Q are different for every organization [changed order]. It is important, however, to add these costs to the “four-million-dollar average” breach calculus. By industry, the coefficients for organizations in the financial sector will be amongst the highest.
The ROI equation in action:
(1.01*X*Quantity of New Customers) +
(1.05*Y*Quantity Affected Customers) +
((Revenue[Q4]−Revenue[Q3])*4/Sales & Marketing Expenses [Q3]) +
(S of Q Salaries New Hires and Fired Personnel Payouts) +
($4,000,000 Incident Response and Communications Costs) = T
These additional costs will all asymptote to zero as human memory fades, but not before causing long term damage, and as in the case of Yahoo, the damages get renewed more than once.
This equation creates the mathematical connection that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit. As a CISO, when reviewing cybersecurity investments, you should turn your focus to investing in solutions that maximize brand protection. By using the ROI equation we’ve discussed, you can start shifting the perspective on cybersecurity initiatives with key stakeholders today. Responsibility to protect brands from cyber threats extend beyond CISOs. CMOs must prepare to defend their brand and company with dynamic tools and strategies to combat almost inevitable cybersecurity events. Avoiding a network breach is a corporation’s ultimate measure of success, though the supposition that an adversary is already on one’s network is foundational for mitigating cybercrime.
Need Help Calculating?
Do you need help determining your ROI on cybersecurity investment? Or need assistance to get on the same page with your executive leadership or board? Let CyberVista help. Learn more about Cyber Resolve, CyberVista’s cybersecurity board and executive training programs.