Ever since Peter Norton and John McAfee discovered they could charge for a small utility that helped find and quarantine gremlins that hid on floppy disks, budget-conscious buyers and flinty-eyed CFO’s have been challenging security vendors with a simple question:
“If I buy your product, what’s my ROI”?
As generations of security marketing people know, this kicks off a wild scramble to describe how the purchase of their product delivers enough ROI to presumably compete with other enterprise investments like a new factory or a new ad campaign. What usually follows is a spreadsheet illustrating a product’s financial benefits in two ways: 1) savings in cleanup, brand value, lawsuits, etc. assuming the product prevents just one attack or 2) massive labor savings identified via vast knowledge of the life of a security analyst and where and how they spend their time. I haven’t seen anyone claim security products can increase revenue, but I’m sure it has been tried.
While careful use of the security budget is clearly a major objective of every CISO, thankfully the decision making process for new products or technology is more often driven in terms of a strategic security plan reflecting key business priorities. Once CISO’s get their budget, they aren’t competing for investment with the lines of business.
Ironically, the security industry has been also hard at work measuring the financial impact of security based on hard data and results.
The first set of data comes from the recently released IBM and Ponemon 2016 Cost of Data Breach Study: Global Analysis report and as is typical for those two organizations, it is a rigorous, thoughtful and data-filled assessment of the impact of security and the associated investments that enterprises make to protect themselves. Based on 1500 interviews with 300+ organizations the study empirically provides deep insights into the overall cost of breaches, cost by industry, cost by record breached and importantly, how the economic impact of an undiscovered breach grows almost exponentially over time.
So, instead of marketing flights of fancy, IBM, Ponemon and others are providing hard data to help inform the security ROI question.
The second development revolves around the clear crisis of security staffing and security skills. In the recent “Man and Machine: A Match Made in Cybersecurity Heaven” article published in Information Security magazine, Niara CEO Sriram Ramachandran outlines the depth of the shortage and its associated impacts. As he notes, there are no artificial intelligence “silver bullets” that will reduce the need for qualified and dedicated security staff. The goal is to in fact use analytics to improve the efficiency and effectiveness of an increasingly scarce resource.
With these new perspectives, providers of security products and services have never been in a better position to answer the ROI questions. The good news is that the right security investments clearly return measureable financial value.