Skip to main content

Return on Investment (ROI) for Cyber Security tooling and skills

How and why your security team should demonstrate the ROI for the security tools and skills you have in place


IMG 1739
Mark Williams

Mark J Williams

Senior Security Architect

In the current economic climate, businesses are being asked to do more with less. This becomes an issue in cyber security especially when you are not experiencing any/many incidents or breaches. This can lead to some scepticism in finance and at board level as to why the company has such budget line items and a hesitation to invest further.

The problem

Softcat is speaking to many IT managers and security leaders who are being asked to justify the cost of the security tooling and staffing in their organisations. Detecting, containing and remediating incidents is a great way to showcase the value of the tooling and skills that are in place in an organisation, but without this, it can be difficult to represent the risk reduction to the business. Continually highlighting low-risk alerts like blocked phishing emails and suspicious executables can also pose a problem and does not illustrate the value of the security tooling and skills in place. Repeated attempts to highlight these incidents could potentially create a ‘boy who cried wolf’ scenario where security breaches aren’t taken seriously and are considered fearmongers.

Methodology and approach to presenting ROI on security tooling and skills

Let’s caveat the below and say there are more ways to present ROI to the business, but the below can be simple and effective.

Measuring the cost of downtime

Knowing how much it costs the business each time a resource is unavailable or doesn’t function is key to measuring ROI. For example, if a database is out of action for one hour, what is the cost to services and how does that impact the business? Or if a manufacturing piece of equipment stops and causes delays, what is the loss of production to the business?

Understanding this data and being able to assign a cost to downtime will enable you to have one part of the equation

Measuring the cost of an incident

If you have case management or an incident record for incidents that have occurred, this can be a great source of data. Taking these incidents and then factoring in the downtime to the business against the cost of recovering back to a working state will give you a figure to represent the cost of not having cyber security controls in place. As a note, when putting together these calculations don’t forget to include manpower. Here is an example of the type of information you could include:

A company that makes fresh food has a machine controller. This has gone down due to a cyber attack and the downtime is three days.

  • The lost revenue of not producing fresh food for three days is £50,000.
  • The extra overtime to be paid to meet the backlog is £3,000.
  • The cost IT and security personnel involved in the incident is £1,000.

From the above example, there is a net cost of £54,000 if the machine controller is under attack. There could also be brand reputational damage due to not having available supply of food for the demand required, and this will factor into the cost for the organisation.

One other method that can be considered is Single Loss Expectancy (SLE). SLE is a way of calculating the estimated potential financial loss from a single security incident; calculated by multiplying the Annualised Loss Expectancy (ALE) by the Annualised Rate of Occurrence (ARO).

The formula for SLE = ALE × ARO.

SLE provides insight into the expected loss from a single occurrence of a risk within a year. ALE, in turn, is determined by multiplying the asset value (S) by the Exposure Factor (EF), representing the percentage of loss if the risk event materialises. ARO estimates how often the specific risk event is expected to occur annually.

There are lots of great resources on the internet, including this post by global professional association, ISACA, that dive deeper into this subject and give a better understanding of how to calculate SLE in your organisation.

What if I don’t have any incidents

If your organisation does not have any reported incidents, then it is key to have good metrics from your tooling. If your organisation does not have any metrics to show, then that is the first task – collating these metrics. Understanding what attacks are being seen by your tools can give you good data to build from. It is important to understand what security tool you are focussing on and to categorise threats into risk factors to allow for what the ROI is going to be.

For example, consider what may have happened if the security tooling had not been in place to prevent the malicious object from getting into the network as in the example above, and the impact that it would have on the organisation. The metrics will be different for each organisation and can be somewhat subjective. However, utilising this method will allow you to convey a theoretical cost saving that the tooling has made to the business.

In conclusion, the increasing pressures internally from the board and finance to ensure the safety of an organisation, but doing it with less funding has strained security teams. Demonstrating how cyber security resources and tooling benefits the company will enable leaders to decrease the risk of a breach and increase the security maturity of the organisation. This will lead to retained funding and increase the chances of new funding requests being approved. Engage with your stakeholders as soon as possible to establish these figures as they could really help secure funding and your organisation.

If you’d like to find out more, please get in touch with our Sales team.