The Art and Science of Calculating ROI for Security Software: Is It Really A Risk Management Calculation?
By: Arti Loftus
Originally published on TechZone 360
Can enterprises and organizations really measure the Return on Investment in digital security solutions? It is not easy, but it is possible when the challenges being solved are looked at through different lenses.
Developing IT budgets for the new year is never easy, and especially hard for 2021, given the constant uncertainty, we are facing in 2020, including the requirement to secure at home working, where access to data is more difficult to safeguard.
When information security professionals recommend and request funding, they are always confronted with the question – how much will it cost, how much will it save, and why should we spend on this compared to other needs?
How long will it take for this investment to pay for itself, either in the form of new revenue or saved costs?
Security investments historically have never been intended to generate new revenue. That is changing, as more customers are insisting on security and as more “commerce” is happening in the cloud, with the exchange of data using APIs, for example. It is now possible to make the case that a more secure infrastructure and environment make platforms and digital services better for customers, and while that is a stretch to calculate, it is a growing reality.
Still, to a large degree, security professionals are paid to make sure nothing bad happens, and if it does, the issue will be resolved immediately.
The best cybersecurity solutions are often invisible to most, including the C-Suite and Board of Directors, but that is also changing dramatically. Board members are asking good questions, and CEOs are not limiting responsibility to a VP or Director of IT level person, rather they are empowering CISOs, along with CMOs, CTOs, and COOs, because the threat risk has grown, and high profile cases are getting extreme media coverage, which has made some victims of breaches go bankrupt.
Hard numbers are available on the costs of many high-profile security breaches. The Target credit card breach cost the company over $300 million. Equifax has paid out over $650 million to settle claims over its massive data breach. Capitol One’s 2019 breach cost over $300 million.
This week, Ironsphere, a New Jersey-based Privileged Access Management security software provider, introduced a Risk Management Calculator designed to determine the ROI based on specific attributes and levers.
“PAM is an information security and governance tool our clients use to prevent data breaches and attacks through the close and automated management of privileged accounts,” said Orhan Yildirim, CTO, Ironsphere. “A PAM solution consistently protects management accounts, controls privileged user access, enforces segregation of duties, logs user sessions and activities, provides accounting, compliance auditing, and operational efficiency, and helps to prevent security breaches, which have been documented to cost from $4M to $400M, depending on the number of records compromised and the value of the related data.”
Yildirim explained that IT managers and network administrators must efficiently secure access, control configurations, and log all activities in the data center or network infrastructure, where any failure to access privileged accounts could result in a material impact on business continuity.
Historically, organizations have invested in software and hardware-focused on securing the perimeter of their networks, but today PAM plays a critical role in protecting assets and mitigating risk, given that 81% of all data breaches in 2019 were linked to lost or stolen user credentials, and 43% of successful breaches were linked to internal actors, according to the Verizon Data Breach Investigations Report (DBIR).
“As regulatory pressures mount, penalties rise, and reputational damage is done when breaches are made public, an investment in PAM goes beyond technical and tactical, to strategic and smart,” said Orhan Yildirim. “IT and OT teams, especially in large enterprises and government organizations, are under unprecedented pressure to keep work flowing, while protecting networks, applications, and data, and complying with increasingly complex regulations and avoiding large fines.”
When developing 2021 budgets and information security vendor ROI calculations, Yildirim said it is important to use all available data, both internal and external, to make the case. “Remind your management team and boards that there are several advantages: reducing labor costs and being able to track and respond using advanced automation while also insuring against reputational damage that could, in fact, be priceless.”
While cybersecurity has always been a concern, it has become increasingly significant in the recent past, with a higher frequency of incidents, including large attacks, which can have massive economic consequences and can even be deadly. Data, including healthcare data, is more valuable to cybercriminals than ever, but in the rush to digital transformation (and responses to crises, including the 2020 Covid-19 pandemic), organizations of all sizes are unintentionally opening themselves up to the largest source of data breaches.
Learn more about the complimentary assessment and download the white paper here.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.