How to Evaluate the ROI on Your Cyber Security Investments?

Global Cyber Security Spends

The world seems to have undergone a decade’s worth of cybersecurity acceleration within a brief period of one year. And that shows in the cybersecurity spends made across the globe. Gartner has forecasted global Cyber Security Spends to remain on a growth trajectory, despite the worldwide pandemic, and touching $123 billion in 2020. The growth trend stands at 2.4% when several other industries are projected to end the year with negative growth.

The most common overheads for Cyber Security Spend were in Application Security, Cloud Security, Data Security, Identity Access Management, Infrastructure Protection, Integrated Risk Management, Network Security Equipment, Other Information Security Software, Security Services, and Customer Security Software in no particular order. 

The growth in such investments seems to have been on a healthy upward trajectory. Between 2005 and 2017, Cyber Security spending grew by over 33.33% as a percentage of the total IT Spends on businesses worldwide, with the figure touching 10.7% in 2017. 

The global landscape can help you determine the answer to the question of whether you need Cyber Security Spends or not. But, how do you justify your Cyber Security budget? 

 

The CSO Perspective: Ascertaining Cyber Security ROI in 2021

Here are some of the most common approaches one can take to ascertain the ROI on a firm’s Cyber Security budget:

1. Compliance Risks

HIPAA, CCPA, and GDPR have collectively increased compliance risks across the globe. Since they apply to some of the most lucrative markets globally, a large set of firms now have to be compliant with these laws, even if they are not registered in a jurisdiction where these laws are directly applicable. The implementation to be compliant with these laws has its costs. But, if adequate Cyber Security measures are not implemented, it can now result in a range of penalties per violation. 

Each HIPAA violation costs $50,000, while each CCPA violation can cost $2500-$7500. GDPR violations can lead to a net fine of EUR 20 million or 4% of global revenues. Hence, any Cyber Security investment made to avoid this has value in terms of the penalties avoided.

2. Peer-Group Comparisons

Some industries have a systemic need for security measures. For example, – healthcare, financial services, etc. Suppose your business is in one of these industries and your peer-group already has dedicated Cyber Security contracts, investments, or divisions. In that case, there is a high probability that you will also need similar measures. 

The average Cyber Security spend stands at 10.7% of the annual IT budgets across the globe. Hence, this is the starting point for the calculation. Now, take the top 5 publicly listed companies from your industry. They should have identical business models and comparable IT sophistication. Take a weighted average of these companies’ Cyber Security spending as a percentage of the revenue or divide the weighted average of Cyber Security spends by the weighted average of the number of employees. 

At the end of this step, you will get the benchmarks of Cyber Security spends as a percentage of the revenues or Cyber Security spend per employee, prevalent in your industry. Since management teams and board of directors address the broader shareholder concerns, these figures can provide a better idea of the trends in IT spending in the industry and showcase where do you comparatively stand with & against them. 

 

3. Cost Control Perspective Adjusted to Reflect the Increasing Rate of Cyberattacks

As counterintuitive as it may sound, Cyber Security brings down the overheads a business has to endure in the long run. Take the cost of each security threat your business has to deal with and scale it across the number of internal and external customers. By not having to go through the security breach event, your business is saving capital in the form of sustained brand equity, consistent productivity, and avoided cost of recovering data.

You can evaluate the value of this aspect of Cyber Security with a simple exercise. 

Enlist the most significant security threats prevalent to your business – third-party risks, incident response expenses, device vulnerabilities, social engineering, and ransomware. Now that more people are working from home, the risk of data leaks has increased exponentially.

Once you have the list of potential threats ready, create a more comprehensive list of the possible impact on business – loss of operations & productivity, lead time for recovery, additional security spends, PR spends for communicating with the industry & customers, incremental security measures, and legal costs, if any. By adding each of these impact items’ costs, you will get a better idea of the total savings made by investing in apt Cyber Security measures. 

Since the exercise is exploratory, you may not get an immediately tangible answer. Here is some guidance you can choose for such cases: on average, large and medium-scale enterprises faced losses worth $370,000 directly attributable to cybersecurity breaches. The same figure for smaller firms, with less than 50 employees, stood at approximately $9,000 for the same period. 

So far, you have attained just the baseline for potential losses attributable to cybersecurity breaches. These losses will grow in the near future, as the probability of threats increases. Interpol’s guidance on the rate of increase in cybercrime can show the projected growth in such threats and hence the attributable losses. 

Interpol reported an increase of 22% in malicious domains, 36% in malware & ransomware, 59% in phishing & scam frauds, and 14% in fake news. You can take the weighted average of the historical expense of such events on your topline. This will provide a baseline of the necessary investments you have to make to protect your business against such attacks. With the provided growth in the degree of attacks, the budget for protective measures should also grow consequently.  

You can create a forward-looking budget with these numbers, once you have the forecasted cyberattack figures available. Ideally, your security budget should grow every year with the nominal inflation rate, plus the growth in Cyber Security attacks for the year. Since you cannot make investments in retrospect, this exercise should be done prior to a forecasted amount. 

 

4. Consumer and Employer Branding

While adequate Cyber Security measures might not be the top priority in the decision-making process of your potential internal and external customers, not having the standard security measure definitely serves as a detractor. Examples – having website encryption, outdated web-page design, WhatsApp’s ‘This Chat is Encrypted’ message, and so on.

To measure the direct impact of security measures on brand equity, you can conduct a small A/B test where the transactions page or the website is deliberately designed to look like it is not secured. The resulting bounce rate from such pages will show the potential impact of not investing in adequate security measures. Extrapolating the loss per bounce to the total number of website visits can show the potential loss to the business.

 

Bringing it Together

By now, you would have attained a reasonable idea about the ideal Cyber Security spends for your business. As a measure of safety, add 10%-15% to this number as your management team may not approve the entire budget in one go.

The idea of calculating an ROI is a little asymmetrical to the nature of Cyber Security spends. Cyber Security measures are a cost-item, and hence do not have a Return on Investment – theoretically. However, that does not mean it is not yielding any positive returns for the business. You can calculate two key numbers – Net Savings Attributable to Cyber Security Measures and Potential Business Benefits.

To get the first figure, use the end-result for each of the four-line items as laid out in the earlier points:

  1. HIPAA, CCPA, or GDPR violation penalties.
  2. Weighted Average Peer Group Benchmarks (As a percentage of revenue or per employee).
  3. Potential Cost of Breach and the Forecasted Growth in Cyber Security Spends to Meet the Growing Cybersecurity Threats.
  4. Extrapolated business loss, based on the results of the A/B Test.

 

The Cybersecurity ROI Ascertainment Process

 

To better illustrate the process, consider this example: A company with over 150 employees is into sourcing, selling, and trading engineering equipment. It also conducts certification training for new engineers, but that unit is small, catering to only 200-300 customers in a year. 

Here is how it estimated the Net Savings Attributable to Cyber Security Measures:

  1. 250 customers (from the training business) x $2500 per CCPA violation = $62,500 in potential penalties.
  2. Weighted Average Peer Group Benchmark is approximately $5,000 per employee. Hence, the figure comes to $5,000 x 150 = $750,000
  3. Average loss attributable to cybersecurity threats: $370,000.
  4. The LTV (Lifetime Value – a popular metric used in performance marketing to determine the aggregate value of a lead based on the historical conversion and recurring sales data) of each lead on the website comes to about $1500. The company witnessed an increase in the bounce rate by 20% when it conducted the A/B Test with a web-page that does not seem secure. Hence, it would be logical to assume that the company’s online revenues can drop by an additional 20% if the necessary cybersecurity measures are not taken and communicated. Assuming the company makes only $1 million in online revenues, this would come to a $200,000 drop. 

Assuming the company’s gross revenues come to $10 million, based on the average revenues of medium-sized businesses in the USA, the total net attributable savings to Cyber Security spend come to about $1.38 million. On average, companies spend 10% of their IT budgets on security. So, as far as 10% of the company’s IT budget is within this threshold, the security spends have created value. 

The other figure is Potential Business Benefits. The company can take its average Return on Invested Capital and add it to the net savings calculated here. Assuming that the company’s average ROIC comes to 5%, the company made an additional $69,000 because of the security spends, with the assumption that the cost savings resulted in excess cash than the company would have otherwise generated. And this was reinvested in the business, bringing the net potential benefits to $1.45 million. 

 

In Conclusion: Deriving Adequate Cyber Security Spends

For optimal ROI on your Cyber Security investments, consider this framework:

  1. How many organized security breaches does your business witness in a given period?
  2. How many data leaks has your business experienced in the last year on both an absolute and relative basis?
  3. What is the value put by your internal and external customers on comprehensive security with your products & services?
  4. How many security threats have your team-members witnessed in recent years?

Having a dedicated partner to help you with your entire security program at an enterprise scale can bring more structure, standardized practices, and augmented ROI.

Get in touch with the Network Intelligence team to know how you can have a more sophisticated security program for your business. 

  •  
  •  
  •  
  • 1
  •  
  •  
  •