Cybersecurity professionals generally believe that assessing security investment involves evaluating how much potential loss could be saved by an investment.
In other words, the monetary value of the investment has to be compared with the monetary value of the risk reduction.
Often, this monetary value of risk can be estimated by a quantitative risk assessment.
It’s important to understand that the classical financial approach for ROI calculation is not particularly appropriate for measuring security-related initiatives because security is not generally an investment that results in a profit.
Security is more about loss prevention. In other terms, when you invest in security, you don’t expect benefits; you expect to reduce the risks threatening your assets. Consequently, a quantitative assessment of a return on security Investment is done by calculating how much loss you avoided thanks to your investment.
Even so, it can be challenging to compare the costs of a cyber-attack with the cost of a cybersecurity investment, given the result of a successful cybersecurity solution is the absence of an incident.
Last year, the global average data breach cost grew 9.8% to $4.24 million. But it’s important to remember that not all costs are monetary. Organizations may not be considering the various repercussions that could cost their business, including factors such as:
- Business disruption impacts use and reputation and can result in the loss of customers or revenue.
- Detection and response activities, including proactive and reactive strategies such as forensics and crisis management.
- Communications and negotiations with stakeholders, including data subjects, regulators, and third parties.
- Insurance and legal activity, including victim assistance and increased challenges securing coverage.
When implementing a cybersecurity initiative, leadership must focus on solutions that reduce business risk, comply with regulations or contractual agreements, reduce ongoing costs, and meet business objectives.
Want to learn more? Tonex offers Cost of Security: Balancing Investment and Risk Training, a 2-day course where participants learn to define COSE and distinguish between various types of security costs.
Participants also learn to evaluate the financial impact of security threats and breaches on an organization as well as develop strategies for efficient allocation of security resources for maximum protection.
This course is designed for cybersecurity professionals, risk management officers, IT managers, financial analysts, and senior executives responsible for making decisions about security investments and policies in their organizations.
For more information, questions, comments, contact us.