Demonstrating Return On Investment (ROI) for security spend can be difficult, as it’s not always easy to quantify or assign a monetary value against it.
In most cases, the cost of a breach is cited to demonstrate the spend on technology, personnel or services. However, this does not always articulate the best business case for budget.
So what are the key drivers within any organisation, and which ones demonstrate true ROI?
- Competitive advantage
- Best practice/assurance
- External audit
- Contractual obligation with a supply chain/bid or procurement process
Whilst most organisations will be subject to more than one of the above, it can be useful to identify which ones have a true ROI for your organisation.
Want further advice on identifying ROI for security spend or planning key security objectives? Book a Node4 Security Workshop.
There are very few industries remaining that can state that enhanced security provides a true competitive advantage and places them ahead of their competitors.
Security for most industry sectors now is a must and a right of passage to do business. Eight plus years ago, this was cited as a reason why security should be adopted by organisations, but by today’s standards, this no longer remains true.
Good security practice is a requirement, and this reason alone does not present an effective business case or demonstrate true ROI.
Organisations adopting best practice can certainly enhance the protection of their intellectual property, reduce the risk of disruption to Business As Usual activities and protect critical data assets.
However, best practice can be a difficult approach to quantify and an expensive exercise. It will differ for each industry, and is typically aligned to business strategy and regulatory/compliance requirements.
Can true ROI be presented by citing best practice as a business case? It certainly presents a strong statement to customers and partners, but will require heavy investment to achieve and maintain.
Some regulations are mandated regardless of industry sector (e.g. data privacy), and some are specific to industry verticals, (e.g. FCA, ITAR, HIPPA).
Regulatory frameworks can often be left open to interpretation and can leave organisations trying to determine what they should be doing to comply. Regulation is also deemed to be a less inspiring reason to conduct security, and the expenditure associated with it is the cost of doing business rather than true ROI.
Compliance, in particular PCI-DSS, is seen as a heavy investment for a business to swallow, the standard requiring a lot of investment in people, processes and technology.
However, PCI-DSS pushes organisations to ensure they are adopting essential security practices, such as ongoing penetration testing, phishing exercises, adoption of a SIEM and resilience within their network.
Organisations subject to external audits will react to the output from these audits.
In most cases, the audits will mirror regulatory or the organisation’s group requirements (if they are part of one). Gaps identified from an audit can require additional budget or budget to be reallocated, which places a strain on organisations that haven’t planned for this expenditure.
Contractual obligation with a supply chain/ bid or procurement process
Most agreements between organisations will include the security requirements that must be adhered to for them to work together, so that they collectively protect each other’s data or networks.
Organisations will differ in approach depending on their risk appetite, but there are common controls that all organisations should expect to see in the terms of doing business. For example:
- Annual penetration testing
- Phishing assessments
- A SIEM or SOC to monitor events and respond to incidents that occur
- Regular firewall audits
- Managed vulnerability scanning
I’d argue that adhering to contractual obligations is where security truly demonstrates tangible ROI. The ROI for most organisations can be defined as follows:
- Maintenance of existing service agreements.
- Streamlining the onboarding of new customers. Security audits can certainly slow down the sign-off process of any business.
- Continued assurance to their customers that they are adhering to contractual obligations.
Which security controls are typically required for working with a supplier/customer?
Security certifications and information security frameworks like ISO 27001 or IAMSE are typically the first questions on most security questionnaires. Whilst they do carry a significant commitment in terms of time and cost, if implemented correctly, they can demonstrate a clear commitment to the supply chain or customer.
Finally, if you want to work with government agencies, Cyber Essentials and Cyber Essentials Plus are a must-have when tendering.