Considering the Cost of Failure in Security Operations
How do you measure the cost of failure?
This was a question posed by SecureIQLab’s VP of Research and Corporate Relations, David Ellis, and senior analyst Randy Abrams, during a conversation at RSA Conference 2023.
The knee-jerk, instantaneous answer is that the cost of failure is equal to the dollar figure for a cybersecurity incident–the hundreds of thousands or millions of dollars spent in fines, remediation and lost business. But if you look deeper, the cost of an incident, the point of failure, happens much earlier. Sometimes it comes down to having the wrong security product in place.
Too often, the IT team becomes enamored with the latest and greatest new security tool and willingly pays top dollar for something that they not only may not need but that offers no value to the organization’s overall security posture. An ineffective tool could lead to failure for all sorts of reasons; it isn’t designed to protect your most valuable assets or you don’t have the budget to get the tools you do need–and this should be considered as part of the overall cost of failure.
The question you need to ask when building out your security operations is how to best protect your workflow to get the level of security you need, Ellis said. If the tool is too difficult to use or overly cumbersome, you’ll never get all of the benefits.
Mediocre is Okay
Sometimes it actually makes sense to use mediocre tools rather than the highest-rated products on the market. What’s more important is the management dashboard.
Having the best product means nothing if you can’t track your data or monitor for threats, said Abrams.
An important metric to consider is the alerts and noise ratio. It’s easy to burn out on the noise, and once the fatigue sets in, you miss the alerts. When you miss the alerts, you create risk, and that can lead to the failure of the security system. Any tool that reduces risk, even if it is an otherwise mediocre tool, is a plus.
The Role of the Board
The IT and security teams may be the ones on the front line, but when it comes to looking at the cost of failure in the SOC, the board of directors has to shoulder some responsibility, too.
It’s hard to talk about security in a way that really meshes with how board members think, said Ellis. The board is, and should be, concerned with the return on investment on anything used within the organization, but they don’t always see how security tools fit into ROI because they can’t see how security tools can make money. The disconnect between the board and security teams is that for security, the ROI is realized by how well cybersecurity works to prevent loss.
Here, again, the conversation should center around how to measure the cost of failure of security tools in terms of ROI. If the right tools in the SOC are preventing a cybersecurity incident that could cost the organization millions in losses and fines, the ROI is measured in the lack of disruption to business operations.
It becomes a conversation about preventing loss, said Ellis. It becomes an insurance and risk conversation, something the financial side of the business understands. Once you hit on that shared understanding, the conversation can move to security efficacy and operational efficiency and then estimate the ROI of the security tools.
Every organization will have its own security ROI calculus, but the important thing is to begin the conversation. How does the failure of your security system fit into the organization’s overall ROI goals? The way your company measures the cost of failure is something to think about when looking at your security operations.
