How Do You Measure Your Investment in Security?

When evaluating enterprise security tools for their effectiveness, it can be challenging to find the right model for best calculating your “Return on Security Investment” (ROSI).

Just a few years ago, the potential cost attributed to a security breach was likely to be primarily related in the assessed financial cost into a business’ reputation, with only a relatively small number of cases ever reaching significant legal or sustained loss of service related costs. But with GDPR (as well as an increasing number of international laws) bringing new fines to consider and the steadily growing number and sophistication of security intrusions over the last few years, assessing both the possibility and resulting impact is increasingly imperative and demands ever more robust assessments of your security expenditure.

Working out how you get the best “bang for your buck”

The most popular model I’ve seen deployed for security budget scoping in the real world is based on simply assessing cost – asking what’s the most I can get for my dollar based on my budget (or quite simply where can I get the best “bang for your buck”). This is a useful starting place for establishing budget sizing, but in order for even this simple methodology to work, it is necessary to assess “the bang” aspect, and it is here that things can become more challenging.

To put it a financial model around security “value,” we can consider an objective of trying to mitigate as much risk as possible, preferably up to the point where the cost of implementing additional security controls is as close to any possible value of additional savings from security incidents. This is where concepts like Foundational Controls offer a sensible way of making this problem tractable. By identifying measurable controls (especially industry supported ones like those developed for (Read more...)