Measuring the ROI in cybersecurity investments is a recurring issue for IS departments and CISOs. In the face of a threat some consider as a mere hypothesis, how can you account for expenses that are not hypothetical? And, most importantly, can the way people think actually be changed? Thus shifting from a paradigm focussing on cost avoidance to a model that promotes investments.
As the CISO of a leading company in the aviation industry said: "we have been trying to identify possible risks and damage and the probable occurrence of cyberattacks for the last fifteen years, in order not to miss out on the necessary security investments." However, sometimes, these are difficult to account for and, thus, some companies only make drastic changes in their strategies once the first attack has occurred.
Issues regarding the efficiency and profitability of security expenses are indeed recurring issues. Whether we are talking about ROI or ROSI (Return On Security Investment), the question is asked as follows: how do you link an actual expense with an unforeseeable threat? And can the executive managers be persuaded that non-productive investments are necessary, that is to say that they don't directly help companies to earn money by generating increasing incomes?
The growing media coverage of security incidents does, however, place this issue on the agenda.
Cost avoidance: an excessively restrictive paradigm
Undeniably, the maturity levels of Executive Committees have improved in terms of the understanding of cyber risks over the last few years. More often than not, the growing awareness has given rise to significant increases in the budgets allocated to IS departments.
Nonetheless, many CISOs reveal that their senior management regularly hold them to account, subject to revising their budgets downwards. "We have actually seen the budgets of some companies stagnate over the last few months," said Benjamin Leroux, Chief Marketing and Innovation Officer at Advens, a company that specialises in cybersecurity.
It is often complicated for a CISO to demonstrate the benefit of security expenses, since the prevailing paradigm remains that of cost avoidance. It is thus preferable to explain that protection expenses made it possible to avoid losing X million euros, rather than saying that they earned Y million by implementing them. Or, as Ian Schenkel, EMEA VP of Flashpoint said: "It is rather like selling insurance: CISOs must try to put a value on what hasn’t happened – the breaches and disruptions that their strategy will prevent".
However, assessing the costs of a cyberattack may prove very complex. Whether in terms of the ransom to pay and/or the disruptions in operations, the impacts may serve as landmarks, provided the appropriate scale is used. According to the Hiscox insurance company 2019 report, the average cost of cyber-incidents for a small company is estimated at 14,000 euros. This amount should be compared to the amounts stated by companies such as Demant, one of the major manufacturers of hearing aids in the world, which expects a 95-million dollar loss further to the ransomware that affected their production and distribution facilities in Poland, Mexico, France and Denmark. Or Eurofins Scientific, which lost 75 million euros because of another ransomware. These examples offer a wealth of information while, still according to the Hiscox report, the cost generated by all cyber-incidents is an average of 110,000 euros.
Along with this financial impact, possible regulatory penalties should be taken into account. At a European level, the GDPR indeed imposed fines as a percentage of the turnover (4% of the worldwide turnover) on all the companies that have been negligent in the protection of the data they process. In July 2019 British Airways faced a significant fine after a data breach.
But some other costs are difficult to assess, when it comes to disrupted operations. "There are incidents for which assessments fluctuate considerably. For instance: what is the cost of a one-hour unavailability of an e-commerce site during the sales period, following a DDoS attack?," says Benjamin Leroux. "Moreover, indirect costs should not be overlooked, neither should the impact of a cyberattack on a brand image."
In addition to these already complex calculations, two aspects also need to be taken into account. The first aspect is that cybersecurity solutions often provide solutions that are not purely cyber. For example, a firewall offers QoS management, URL filtering and management of multiple links, and therefore provides enhanced connectivity for the most important uses. Along a similar vein, SSL VPN or IPsec VPN features provide the opportunity to implement remote working or remote maintenance. And this can increase productivity. Generally speaking, adding a layer of cybersecurity can help to modernise some practices that used to require the presence of human beings. The second aspect involves calls for tenders – namely of major purchasers –, in which the measures regarding IT security outlined by tenderers are given pride of place, or even are now the decision criterion. Cybersecurity may then become a differentiator between a company and their competitors.
Assessing risks: a multifaceted exercise
At a time when more and more people underline the essential part played by cyber resilience, we should bear in mind that, most of the time, the question is not whether your company will be attacked but rather when the cyberattack will take place. If assessing the costs of a cyberattack that has not (yet) taken place is a theoretical exercise, the latter, however, increasingly turns into an operational reality. The cybersecurity news is full of numerous examples. And in our 2019 barometer on cybersecurity, we showed that 48% of companies questioned had been the target of one or several cyberattacks over the past few months.
Finally, explaining why it is complex to calculate the return on investment of IT security involves taking into account the fact that our sector is still young and, above all, is little known. We only have little hindsight and don't have enough reliable data to implement robust models.
Moreover, making the buzz (often fuelled by the media) highlights the major cases for which costs reach several hundreds of million euros, although they only are the tip of the iceberg. Conversely, many SMEs that have been particularly exposed, as recently the French company Lise Charmel, which was placed in receivership, are reluctant to provide the amounts of the attacks they were the victims of. The opacity in our sector therefore makes calculating estimations even more difficult.
The ABC of the risk approach
In spite of the obstacles mentioned here above, solutions do exist. The France's ANSSI cybersecurity agency has for instance developed the Risk Manager EBIOS method to help organisations identify and understand the risks that are specific to them. "The purpose is to uproot the irrational elements in the conventional risk analysis, which is mostly based upon estimations," Benjamin Leroux underlines. "In this method, each type of attack is listed, characterised according to its impact and associated with a cost. It is then possible to implement a risk management plan (antivirus programs, firewalls, awareness campaigns, organisation, etc.) that can actually be evaluated." The analysis in terms of ROI can thus be conducted by removing the amount to invest from the anticipated losses.
Once the calculation has been done, it is essential to measure the effectiveness of the risk management plan, with a logic of control. Another difficulty arises at this stage: if I implemented a solution to detect an incident, but nothing happens, is it because no incident occurred or because my solution was not effective? Although the reports or frequent management charts on the attempted attacks provide part of the answer, there are still doubts. "In these cases, companies conduct audits and may ask pentesters to run penetration tests to check the effectiveness," Benjamin Leroux explains. But there again, it is difficult to actually demonstrate the profitability of cyber investments, since these penetration tests do not enable companies to earn money in the strict sense of the term.
Finally, in the conventional risk approach, it is also important to rationalise the protection measures. A new challenge to rise to in cybersecurity, since we try to optimise the cyber-mix without setting aside the plurality principle and the principle of dual barrier technology. And this is far from easy.
To bring about a qualitative leap in cybersecurity
However, there is an alternative move, i.e. a model in which promoting investments in cybersecurity may help earn money. "Lately, the Société Générale bank implemented OPPENS, a security coaching service meant for very small businesses/SMEs," Benjamin Leroux points out. What for? To sell the know-how developed in house to companies with a view to promoting these investments. Another textbook case in France: the Imprimerie Nationale, the official printing works that make all the passports and identity documents. In 2018, they implemented the INWallet app, a solution for securing digital identities. "In both examples, selling cyber services enables to extend the services they provide, and thus, to earn money," he continues.
Halfway between analysing risks and rationalising protection measures, measuring the ROI in cybersecurity is complex, but more essential than ever. What we see taking place is the need to shift the paradigm, to move from a strictly quantitative analysis to an analysis that includes the qualitative factor. The perspective changes when we move from a strictly monetary ROI, based on a costing approach, to a ROI based on the value of security investments. It is high time managers see cybersecurity as an opportunity, and not as a threat.
