3 - 4 OCTOBER 2018 / EXCEL LONDON
Register Now
IP EXPOCyber SecurityDeveloperAI and AnalyticsIoTBlockchain

How to Calculate Return on Security Investment

Tuesday 11 September 2018

Ahead of IP Expo, Peter Smith, regional sales manager Europe at Netwrix Corporation tells us how to calculate return on security investment and why it’s important. 

In IT security, statements such as “It’s hard to measure the effectiveness of security investments; it’s like insurance: you know you need it, but you can’t put a value on it” are extremely common.  However, this attitude is a no-go for any effective IT manager. Companies will absolutely need a method for accurately calculating return on security investment (ROSI), so they can assess whether their cyber security strategy is meeting the goals of their organisation, and, if necessary, argue for additional budget.

Why classic ROI doesn’t work for return on security investment

This ROI equation works only for investments that yield positive results, such as cost savings or revenue enhancements. But what is a security investment? This kind of investment neither increases revenues directly nor provides immediate payback; rather, security investments are about risk management that results in loss prevention and risk mitigation. Thus, a ROSI calculation should indicate how much loss the organisation could avoid due to the security investment; therefore, a different formula is needed.

Choosing the right metrics for ROSI

To calculate ROSI, it’s important to ensure that the process is practical and delivers reliable and actionable results. It’s essential to make sure that the metrics are:

  • Easy to gather on a regular basis. If it costs a lot of time or money to gather the data needed, ROSI calculation will very quickly become a burden and outweigh any perceived benefit
  • Relevant to the business and the risks it faces

Modifying the ROSI formula with additional metrics

Modifying the quantitative risk analysis formula by including additional criteria that are industry-specific or just more important for the organisation. Here are some examples:

  • Risk profile versus industry peers — Comparing the company’s security budget and execution to peers within the industry can be quite useful. Industry-specific research will help identify quantitative best practices, learn what threats peers encounter and how they address them
  • Compliance status — If a company is subject to a new compliance standard or wants to improve its compliance with an existing one, they should include their compliance status as a factor when evaluating security investments. This data can be gathered by conducting regular internal audits to check whether processes align with the security frameworks mandated by the standard, checking the grades on recent audits, and determining what areas companies may need to work on.
  • Organisational readiness to address incidents — Another way to be prepared is for companies to divide security professionals into two groups: one team attacks the infrastructure and the other group defends it. By conducting these games occasionally, organisations will be able to track performance of team members during the attack, test the effectiveness of their security programme and investments, and compare the results they achieve with the previous games.

Taking the time to calculate ROSI before making an investment and regularly calculating it for existing investments can deliver more benefits than one might think. Accurately calculated, ROSI will give companies the actionable and reliable data needed to figure out whether efforts support the IT security strategy and reduce cyber risks, determine whether current security spending is justified, adjust budgets by reallocating resources to priority issues, or request additional investments.

If you are interested in learning more about how to calculate your ROSI, drop by stand CC6 to ask Peter for some more information. Register now for IP EXPO Europe at www.ipexpoeurope.com 

IP EXPO Europe Colocated at Digital Transformation EXPO

Register Now for Europe's number ONE enterprise IT event

IP EXPO takes place on 3-4 October 2018 at ExCeL London. This unmissable event is your one stop shop for digital transformation and covers every vertical you need to consider for successful implementation. Including network and hardware, cybersecurity, developer community, AI and analytics, IoT and Blockchain.

Ensure you register now for the ONE show you cannot afford to miss!

Top