How to calculate cybersecurity ROI with concrete metrics

Why cost avoidance isn't the best cybersecurity ROI benchmark

While security leaders often want to make the argument that a given investment helps an organization dodge costs, cost avoidance isn't the best gauge of cybersecurity ROI. It might be tempting to say, "Because I installed tool X, we didn't suffer a ransomware attack, which saved us from paying a $10 million ransom like our competitor had to." Even if you could prove this were true -- and you cannot prove a negative -- the only executives likely to buy this argument are the ones who have already personally experienced such losses themselves. Unfortunately for you, those executives are probably not the ones now in charge.

Reputational costs are equally nebulous. Estimating the damage stemming from a publicized security incident might be a worthwhile exercise. It's easy to go through news sources to determine how much a security attack might have cost another company -- either in customers or revenue. But it's not necessarily a credible tactic when it comes to calculating cybersecurity ROI in a different instance or at another organization.

Consider the SolarWinds breach in 2020. The company suffered a loss in market capitalization of more than $1 billion in a matter of days. But there is no way to directly calculate the value of averting a different security vulnerability. Highlighting the value of avoiding this type of notoriety might be useful, but when it comes to cybersecurity ROI, it's better to rely on concrete metrics that can be directly tied to expenses the business can itself control.

Hypothetical fines are also difficult to estimate. CISOs would be hard-pressed to meaningfully compare their businesses with other companies that have paid penalties for their mistakes, as each situation and exposure is different.

How to calculate cybersecurity ROI

Security managers know effective security tools help reduce attacks, find root issues quicker and prevent the compromise of data. It is a straightforward process to examine log files to see if the number of security events has declined since the implementation of a given tool or service.

Trouble ticketing software offers valuable insight as well. It captures how long it takes to address problems and tracks the effectiveness and productivity of security personnel who solve those issues. If an investment helps staff solve issues more quickly, it's possible to translate time saved into dollars saved.

Let's say a security analyst makes $100,000 annually. If a given tool or service saves an hour of that employee's time, then the business saves $48. Similarly, if a security analyst managed 100 tickets a month and can now handle 200 tickets a month, that represents a 100% increase in efficiency -- the equivalent of one full head count.

Productivity is also measurable through systems integration -- the merging of networking information with security information. This yields quicker root cause analysis, which can be calculated as the percentage change in events detected over time, which can then be factored in terms of head count reduction.

If an organization with a security IT staff of six deployed security software that boosted efficiency by 25%, the company could reduce that staff by 1.5 and still get the same productivity. Assuming a fully loaded labor cost of $125,000 per employee, the company could save about $180,000 by eliminating those positions. If the security software cost $90,000, the ROI in this case would be six months.

Security managers should consider framing investments in terms of cybersecurity ROI.

Executives also readily understand how important it is to avert any disruption to the business, so calculate increased time available as it relates to money generated by the business. A $100 million enterprise, for example, brings in about $275,000 a day or $11,000 an hour. Using direct measurements like this, against improved downtimes from outages, will allow managers to directly calculate the value of each hour saved from an outage.

While reputational cost savings are vague and variable, money generated from the business is concrete and immediately comprehensible. These types of appraisals make cybersecurity ROI metrics more compelling than just tallying the hourly or annual costs of security staff.

How to communicate cybersecurity ROI to executive leadership

Executive managers care about security, even if only tangentially, in that they care about the business risks security threats create. Their focus is on how security tools might mitigate those risk levels.

For that reason, when security managers talk to business executives about the value of cybersecurity, the focus should not be on the details of the technology that protects the network -- in other words, no discussions about the mechanics of RSA encryption or lectures on how quantum superpositioning obviates hashing functions. Instead, security managers should highlight how specific investments in people, processes and technology mitigate critical business risk factors.

Never talk about eliminating risk. While this might be what the CEO wants to hear, risk elimination is an impossible expectation to manage. Rather, talk about the benefits of investing time to train staff and to integrate processes across operations and security to improve communication and efficiency. And talk about the benefits of investing money in the underlying infrastructure to make those integrations a reality. These are the types of risk-based security investments that have a direct effect on the bottom line.

The more that security managers can focus on business prerogatives and risk management, the more they will win the understanding and support from the business leaders who depend on them.