Safe Security Adds Cybersecurity ROI Tool to Portfolio
Safe Security, Inc. today announced it has added a Return on Security Investment (ROSI) Calculator module to its risk quantification and management platform.
Pankaj Goyal, senior vice president for Safe Security, said the ROSI Calculator automatically collects data from cybersecurity tools via application programming interfaces (APIs) to calculate the potential cost of risk to the business using a probabilistic graphical model based on Bayesian network techniques created by the company’s data science team.
The ROSI Calculator also provides the ability to compare and prioritize different cyber initiatives based on specific financial risk reduction factors, including surfacing recommendations for achieving those goals.
Finally, the module can be used to compare defense, mitigation, response and recovery controls against cyberinsurance policy requirements.
Cybersecurity investments have always been notoriously difficult to quantify. Existing tools for calculating return on investment (ROI) in cybersecurity are challenging to employ, consume a lot of time and don’t yield insights in real-time, noted Goyal.
Like the rest of the investments made in IT, spending on cybersecurity is being scrutinized more closely in the wake of the economic downturn. The challenge is no one knows for sure what tools and platforms are actually effective. Many organizations have invested in multiple cybersecurity offerings over the years without evaluating whether their capabilities make a legacy platform redundant, added Goyal.
Safe Security has previously made available a free cybersecurity benchmarking tool for predicting cyberattack risk within vertical industry segments that relies on the same techniques used to create the ROSI Calculator. In the longer term, Safe Security is committed to making additional investments in machine learning algorithms and other AI techniques as it collects more data, said Goyal.
Of course, there is no correlation between spending and the level of cybersecurity attained. While the volume and sophistication of attacks have increased, most of the cybersecurity issues organizations encounter can be traced back to human error. Resolving all those issues is next to impossible but organizations should be able to at least prioritize their efforts based on the actual level of risk they represent to the business. That’s critical because the number of attack surfaces that need to be defended only continues to increase.
It’s arguably never been more difficult to be a cybersecurity professional. As cyberattacks increase in volume and sophistication, there is clearly a need for additional investments to be made as organizations look to implement zero-trust security policies. However, no one is going to issue the cybersecurity team a blank check. Some form of calculation of risk versus potential loss needs to be part of every cybersecurity decision. It’s then up to business leaders to determine what level of risk they are comfortable with given the potential damage that might be inflicted.
There’s no such thing as perfect security, of course. However, the process by which security is achieved based on the available amount of budget needs to be closely monitored, especially in an era where bad actors typically have larger available budgets than the average cybersecurity team.
