Subscribe
About

How to express cyber risk ROI to motivate for budget

With ever-evolving cyber threats, there needs to be ever-increasing protection, which requires more budget. However, ROI is still a priority.
Tim Wood
By Tim Wood, Executive head, information systems and technology, Vox.
Johannesburg, 23 Feb 2023

Anyone who has presented a cyber security strategy and asked for more budget will understand it is not an easy conversation to have.

This is not because companies don’t understand the importance of protecting their systems, but it’s because with ever-evolving threats, there needs to be ever-increasing protection, which costs more, and without some kind of return on investment (ROI) metric in place, this can be a very difficult sell.

Let’s be clear, nothing I will discuss today is set in stone and is theoretical, but it is a base from which to build a cyber security budget and express an ROI.

At the outset, it is important to emphasise that businesses should consult reputable security experts when defining their approach to the mitigation of cyber risk. The stakes are high, and the challenges are varied and complex, requiring qualified, experienced counsel.

When considering a response to cyber risks, the cost of implementation of controls needs to be viewed against the cost of an incident or breach. The appropriate budget must be proposed in the context of the impact of a threat on the business.

Determining what that budget should be is one of the biggest challenges facing a business. There are a number of steps one should follow. This includes identifying control gaps, rating and prioritising risks and reviewing the options to mitigate the priority risks, which − as mentioned already − is best done when engaging with experts in the field.

The appropriate budget must be proposed in the context of the impact of a threat on the business.

The next step is calculating the cost of implementation, which needs to take into account the opportunity cost of the investment, the opportunity cost of internal resource time, the cost of outsourced services and the cost of the hardware and software.

Once this is done, the next step is to calculate the cost of a security breach, and this is where the real challenge starts because, quite frankly, there is no easy blueprint to do this.

What is certain though, is that there are a few factors that need to be built into the calculation. These include the actual cost to fix the problem, the cost to the business of downtime, legal costs, the expense of fines, payment of ransoms − which is controversial but is a reality − and then trying to quantify the cost of reputational damage. If IP is actually stolen, this cost needs to be calculated, too.

Once a business has reached this point, it is possible to express an ROI. Remember, we are working off a theoretical base here, but ROI can be expressed as the reduction in risk of the potential cost of an incident as a percentage of the cost of control implementation over a financial year.

How would you do this? ROI equals the annual expected cost of the incident without mitigating control, minus the annual expected cost of the incident after mitigating control is implemented.

Divide this by the annual cost of mitigating annual control and multiply this by 100 to achieve a percentage. Put simply, risk before minus risk after, divided by the cost of mitigation, multiplied by 100 gives a percentage ROI.

Naturally, this would come with a host of caveats but it is sufficient to determine ROI for a budget motivation for a single solution addressing a specific scope; however, it does not necessarily provide the full picture.

Any security strategy needs to have a holistic view of cyber protection and needs to build layers of controls that will provide defence in depth.

Security fabric is a concept that calls for multiple layers of security, which are built into the design of the security solution. In theory, this means it is less likely that organisations will have vulnerable gaps that criminals could exploit.

This is a different approach to an organisation having a host of individual solutions from multiple vendors.

A drawback here is the potential that an organisation may find itself with a vendor lock-in challenge which, by its nature, will result in some strong areas and then some areas of weakness, depending on the vendor’s underlying software capability.

This is where a competent security partner can review the environment and advise on a holistic strategy with appropriate solutions for each unique business.

In my next Industry Insight, I will unpack how to view a controlled environment holistically, and how there may be a cumulative diminishing ROI with the addition of further security controls and a few important controls to improve risk mitigation.

Share