When addressing information security, the return on investing in cyber may not be as high as calculated. For any particular investment, it may only reduce that particular vulnerability.
Let’s start with a definition of ROI from Investopedia:
Return on Investment (ROI) is a performance measure, used to evaluate the efficiency of an investment or compare the efficiency of a number of different investments. ROI measures the amount of return on an investment, relative to the investment’s cost. To calculate ROI, the benefit (or return) of an investment is divided by the cost of the investment. The result is expressed as a percentage or a ratio.
The return on investment formula:
ROI = (Gain from Investment – Cost of Investment) / Cost of Investment
In the above formula, “Gain from Investment” refers to the proceeds obtained from the sale of the investment of interest. Because ROI is measured as a percentage, it can be easily compared with returns from other investments, allowing one to measure a variety of types of investments against one another.
Why should this apply to investments in cyber? (I will use ‘cyber’ to refer to all information security risks and measures.)
Any organization has limited resources (money, people, and executive/board time). One way to allocate those scarce resources is by calculating the ROI for each option. There are limitations, which I will discuss later.
How do we calculate the ROI of an investment in cyber (including risk assessment and the measures taken to address the risk)?
We could (and probably should) look at the investment in cyber overall, but for purposes of this post I prefer to discuss the cost of additional tools, services, and personnel to address a recently identified risk. (I’m going to use common language rather than get hung up on semantic discussions about which words to use per ISO.)
The cyber risk created by the acquisition of robots in the organization’s warehouse has been identified and assessed by the experts (CISO and CRO with the concurrence of the CIO) as high, more than they believe the organization should take. (I prefer “take risk” rather than “accept risk” as it is more true to real life and the decisions that we have to make.)
Because you have influenced how they assess risk, they have worked with business managers and based the risk assessment on how a breach would affect enterprise objectives. The business managers value the negative consequences of a breach at $10 million and the CISO says that the likelihood of that significant a breach due to vulnerabilities in the robot automation is currently 5%.
They have requested an investment of $250,000 per annum, saying that amount is necessary to bring the risk to acceptable levels. The CISO believes that would bring the likelihood of a significant breach ($10 million) down to 2%.
We would modify the ROI calculation so that it is based on the reduction in risk rather than the gain from the investment.
If we accept that the current risk should be valued at $10 million * 5% and the risk after the investment is in place is $10 million * 2%, then the reduction is $10 million * 3% or $300,000.
This calculates as an ROI of 20%.
That sounds like a great investment.
But, would spending an additional quarter of a million dollars be a good business decision?
A couple of questions:
- While the CRO and CISO say that the risk is outside acceptable levels, is it really?
- Would the risk really be reduced to 3%? Or, is that simply the risk from this particular vulnerability?
Taking each in turn, $10 million is a lot and would look bad in the newspapers. But if the organization has annual revenue of $4 billion and net earnings of $350 million, is a $10 million dollar number realistic? I suggest that the enterprise could shrug off such a loss fairly easily. On the other hand, there might be serious follow-on consequences to an incident.
Top management and the board should have serious conversations that focus not only on acceptable losses, but also on what investors and regulators might consider a reasonable level of cyber defense, detection, and response. Any definition of ‘risk appetite’ should probably be based on the likelihood of a serious breach, rather than on the amount of loss.
Let me start the discussion of the second question with a story.
Some years ago, a partner and manager from PwC visited me. They suggested that my company acquire software from them that would address an information security exposure we had. I pointed out to them that the software would indeed be of value. It would close a small open window in our infrastructure. But, I informed them that it was not a good investment because not only did we have other windows open, but the lock on the front door was broken.
When you have multiple vulnerabilities, the possibility of a breach remains high until all (or close to all) of them have been closed down.
Recently, I was a speaker at TBI’s Big Event in Chicago. Bob Bigman, former CISO for the CIA, spoke and had an interesting spin on cyber.
- Computers are not secure
- IoT is even less secure
- We should call it the internet of unsecure devices
Bob alarmed us all, explaining how easy it is to hack almost any organization. (The best counter-measure is to isolate your systems – but that is not always practical.)
So, would the $250,000 investment really reduce the risk of a breach with a significant effect on the achievement of enterprise objectives?
Is it just closing a small window?
I think we should stand back and consider the likelihood of a breach as a result of an incident taking advantage of any of our vulnerabilities with an impact valued at, say, $10 million (if that is the most you could sustain).
Is that likelihood acceptable? If not, what likelihood is acceptable? How much risk are you willing to take?
Given that, how can you get to an acceptable level?
How many windows would you have to close? Which ones, and at what cost?
Is there a better solution? In fact, what are all your options – including actions that have nothing to do with cyber such as removing your IP and putting it under your bed, or changing business strategies?
I remain unconvinced that the ROI on cyber is really as high as it may seem at first glance.
I am starting to think that at some point it is better to consider cyber risk as a “cost of doing business”.
If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?
Can you get to where a prudent individual would say you have a reasonable level of investment in cyber?
What do you think?