The Art and Science of Calculating ROI for Security Software: Is It Really A Risk Management Calculation?
By: Arti Loftus
Originally published on TechZone 360
Can enterprises and organizations really measure the Return on Investment in digital security solutions? It is not easy, but it is possible when the challenges being solved are looked at through different lenses.
Developing IT budgets for the new year is never easy, and especially hard for 2021, given the constant uncertainty, we are facing in 2020, including the requirement to secure at home working, where access to data is more difficult to safeguard.
When information security professionals recommend and request funding, they are always confronted with the question – how much will it cost, how much will it save, and why should we spend on this compared to other needs?
How long will it take for this investment to pay for itself, either in the form of new revenue or saved costs?
Security investments historically have never been intended to generate new revenue. That is changing, as more customers are insisting on security and as more “commerce” is happening in the cloud, with the exchange of data using APIs, for example. It is now possible to make the case that a more secure infrastructure and environment make platforms and digital services better for customers, and while that is a stretch to calculate, it is a growing reality.
Still, to a large degree, security professionals are paid to make sure nothing bad happens, and if it does, the issue will be resolved immediately.
The best cybersecurity solutions are often invisible to most, including the C-Suite and Board of Directors, but that is also changing dramatically. Board members are asking good questions, and CEOs are not limiting responsibility to a VP or Director of IT level person, rather they are empowering CISOs, along with CMOs, CTOs, and COOs, because the threat risk has grown, and high profile cases are getting extreme media coverage, which has made some victims of breaches go bankrupt.
Hard numbers are available on the costs of many high-profile security breaches. The Target credit card breach cost the company over $300 million. Equifax has paid out over $650 million to settle claims over its massive data breach. Capitol One’s 2019 breach cost over $300 million.
This week, Ironsphere, a New Jersey-based Privileged Access Management security software provider, introduced a Risk Management Calculator designed to determine the ROI based on specific attributes and levers.
“PAM is an information security and governance tool our clients use to prevent data breaches and attacks through the close and automated management of privileged accounts,” said Orhan Yildirim, CTO, Ironsphere. “A PAM solution consistently protects management accounts, controls privileged user access, enforces segregation of duties, logs user sessions and activities, provides accounting, compliance auditing, and operational efficiency, and helps to prevent security breaches, which have been documented to cost from $4M to $400M, depending on the number of records compromised and the value of the related data.”
Yildirim explained that IT managers and network administrators must efficiently secure access, control configurations, and log all activities in the data center or network infrastructure, where any failure to access privileged accounts could result in a material impact on business continuity.
Historically, organizations have invested in software and hardware-focused on securing the perimeter of their networks, but today PAM plays a critical role in protecting assets and mitigating risk, given that 81% of all data breaches in 2019 were linked to lost or stolen user credentials, and 43% of successful breaches were linked to internal actors, according to the Verizon Data Breach Investigations Report (DBIR).
“As regulatory pressures mount, penalties rise, and reputational damage is done when breaches are made public, an investment in PAM goes beyond technical and tactical, to strategic and smart,” said Orhan Yildirim. “IT and OT teams, especially in large enterprises and government organizations, are under unprecedented pressure to keep work flowing, while protecting networks, applications, and data, and complying with increasingly complex regulations and avoiding large fines.”
When developing 2021 budgets and information security vendor ROI calculations, Yildirim said it is important to use all available data, both internal and external, to make the case. “Remind your management team and boards that there are several advantages: reducing labor costs and being able to track and respond using advanced automation while also insuring against reputational damage that could, in fact, be priceless.”
While cybersecurity has always been a concern, it has become increasingly significant in the recent past, with a higher frequency of incidents, including large attacks, which can have massive economic consequences and can even be deadly. Data, including healthcare data, is more valuable to cybercriminals than ever, but in the rush to digital transformation (and responses to crises, including the 2020 Covid-19 pandemic), organizations of all sizes are unintentionally opening themselves up to the largest source of data breaches.
Learn more about the complimentary assessment and download the white paper here.
Weak passwords have long been the Achilles heel of IT teams, and despite all the best intentions, corporate policies, education, and workarounds, passwords aren’t going away any time soon. There is some buzz around password-less access, but there are good arguments to suggest that passwords should play a fundamental role in authenticating access.read more
Securing Increasingly Decentralized Corporate Environments in 2021: Changes and Challenges for Access Management
It is understandable that many IT leaders are solid fans of the centralized approach to cybersecurity, arguing that it allows companies to better assess and manage their risks by being able to control every application, device and access privilege, by user.read more
The debate on centralized vs. decentralized IT has been going on for decades, and there are solid arguments for both choices. The rise of the cloud changed everything, and today “shadow IT” continues to challenge CIOs and CISOs who are charged with protecting the assets of their organizations while also not restricting the number of productivity tools available which employees and contractors continue to find and use rather than using “official” applications.read more