Return on investment: is it worth the money?
That is the central question both government and industry in deciding on any procurement. Demonstrating ROI on cybersecurity products is notoriously difficult and is one of the underlying reasons for the poor state of our nation’s cybersecurity posture.
Ah, but here’s the rub: showing tangible ROI on cybersecurity products is difficult because it rests on hypothetical situations. “If we didn’t have this product, we would have been breached 17 times instead of three” – That’s hard to prove. Consequently, many security professionals in both the public and private sectors look askance at claims of ROI and decide it is a lost cause when evaluating cybersecurity products.
Even so, demonstrating the value of a security expenditure is essential to obtain continued funding and support. How is it possible to demonstrate ROI without relying on imaginary scenarios?
Let’s look at some approaches that can resonate with bean-counters
Suppose your agency has procured and deployed a threat-intelligence sharing system. Did security staff respond to more intrusions before the deployment? If the number is lower and can be attributed to the system, that’s great. Perhaps a more pertinent metric, though, is the ratio of attempted intrusions to successful breaches: did the percentage go down? If so, you can demonstrate tangible ROI by including the labor rate of the employees responding to incidents.
POA&M (Plan of Action & Milestones) closure is another metric: are you closing them more quickly than before the procurement? If so, are the closures attributable to the system you installed? How does the projected cost of closing a POA&M compare to the actual cost? Projected costs are somewhat speculative, of course, but this approach at least uses some concrete financial metrics.
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/cybersecurity-roi-oxymoron/