Communicating the value of security in dollars and cents to a board of directors can be a complicated endeavor.
To help with this conundrum, consultancy firm Booz Allen Hamilton has offered up its own methodology for determining an organization’s return on investment (ROI) in cybersecurity.
The goal, Booz Allen’s Leo Simonovich told SecurityWeek, is to provide a defensible, transparent and operational methodology for calculating the value of cybersecurity investments and managing investment decisions over time. To do so successfully, he said, organizations must analyze and consider metrics covering three areas: maturity, risk and finances.
“With clear risk, financial and maturity metrics, organizations can successfully identify their most pressing security gaps, allocate capital to initiatives that address these gaps, and continuously improve cyber risk mitigation capabilities over time,” he said.
The risk metrics should include indicators of an organization’s exposure to potential threats across its cyber value chain, while financial metrics should feature indicators of expected value produced by potential investments on an individual and portfolio basis, he said. Maturity metrics meanwhile should deal with an organization’s readiness and ability to mitigate a cyber attack successfully.
To establish cyber ROI, organizations need to take five key steps. The first is to evaluate the value chain.
“Understanding the enterprise’s existing security framework and how it currently identifies, protects and responds to cyber threats is an absolute critical first step in the Cyber ROI process,” the firm notes in a new report on the issue. “This establishes a baseline to which all subsequent cyber investment are compared.”
“However, a security framework alone is not sufficient to drive cybersecurity success,” according to the report. “Instead, organizations should develop a cyber value chain that accurately reflects both the operating model and core functions of the business.”
The value chain analysis should have both an internal and external perspective, and include activities such as determining key control groups, identifying security gaps and collecting relevant benchmark data, the report states.
Steps two and three are assessing the impact of those controls and quantifying value, respectively. Once the value chain is established, organizations should develop a list of possible cyber projects that address security needs and analyze each project against the control groups defined within the value chain, Booz Allen advises in the report. To quantify value, enterprises need to consider three key cost avoidance metrics: cost to fix, opportunity cost and equity loss.
In most cases, organizations equate the term “equity loss” with the direct cost of a cyber attack, however there are additional downstream costs as well that differentiate the value calculation, said Simonovich.
“Opportunity costs and equity losses include impacts that both influence and go beyond market capitalization – e.g., loss of revenue due to system downtime, fluctuations in stock price, compromise of intellectual capital, loss of customers, etc.,” he said. “While the cost to fix often accounts for the largest proportion of cyber attack damages, the downstream impacts from opportunity costs and equity losses can account for as much as 25 percent of the true total cost of a successful attack.”
Traditionally, he said, the primary challenge to quantifying value for cybersecurity has been a lack of access to reliable source data, building a methodology that considers the risk and impact of potential investments against an organization’s risk profile and ensuring that framework can be implemented repeatedly and operationalized as part of an organization’s business processes.
“The ever-evolving nature of the cybersecurity landscape requires that organizations view security as an ongoing activity,” said Simonovich. “Cyber ROI is most effective when implemented as a true investment management system that is incorporated into an organization’s ongoing capital planning process.”
The fourth step calls for CISOs to “socialize” the findings by articulating the value of cyber projects to decision makers using hard data and financial metrics. Finally, the report recommends organizations institutionalize the process of measuring cyber ROI.
“With investment budgets shrinking and no methodology to prove the financial worth of cybersecurity, many critical security needs will either be underfunded or completely un-funded,” Simonovich said. “Placing a value on cybersecurity investments helps CIOs and CISOs defend cybersecurity investment requests with traditional financial value metrics…and compete for available capital so that security issues are not overlooked.”