Cybersecurity ROI: An Oxymoron?

Return on investment: is it worth the money? That is the central question in both government and industry when deciding on any procurement. Demonstrating ROI on cybersecurity products is notoriously difficult, and is one of the underlying reasons for the poor state of our nation’s cybersecurity posture.

But here’s the rub: showing tangible ROI on cybersecurity products is difficult because it rests on hypotheticals. “If we didn’t have this product, we would have been breached 17 times instead of three” is hard to prove.  Consequently, many security professionals in both the public and private sectors look askance at claims of ROI and decide it is a lost cause when evaluating cybersecurity products.

Even so, demonstrating the value of a security expenditure is essential to obtain continued funding and support. How is it possible to demonstrate ROI without relying on imaginary scenarios? Let’s look at some approaches that can resonate with bean-counters.

Suppose your agency has procured and deployed a threat-intelligence sharing system. Did security staff respond to more intrusions before the deployment? If the number is lower and can be attributed to the system, that shows ROI. Perhaps a more pertinent metric, though, is the ratio of attempted intrusions to successful breaches: did the percentage go down? If so, you can demonstrate tangible ROI by including the labor rate of the employees responding to incidents.

POA&M closure is another metric: are you closing them more quickly than before the procurement?  If so, are the closures attributable to the system you installed? How does the projected cost of closing a POA&M compare to the actual cost? Projected costs are somewhat speculative, of course, but this approach at least uses some concrete financial metrics.

Some Security Incident and Event Management (SIEM) systems charge by the byte for data processing. Are there pre-processing systems that can normalize and de-duplicate the data going to the SIEM, thus reducing the cost of ownership for SIEM?

Some metrics can be difficult to translate to dollars and cents, but by expanding the notion of ROI to include quantifiable metrics, it is possible to demonstrate how a specific expenditure is providing measurable improvement. For instance, a new phishing detection system might catch a larger number of illicit e-mails than the old one. Translating the improvement to nickels and dimes may be difficult, but is nonetheless measurable and specific:  qualities the bean-counters always appreciate.

I suggest, then, that we revisit the notion of ROI in cybersecurity. There may be creative approaches to justify a procurement monetarily, but even reliable non-financial statistics go a long way to obtaining budget money to improve a security program.