How to Increase RoI on Cybersecurity Investments

Return on Investment (RoI) is one of the important Key Performance Indicators (KPI) for any business. The RoI could be direct or indirect. In direct RoI, the monetary gain from an investment —like increased sales or reduction in material cost — can be measured. On the other hand, indirect ROI can’t be calculated, at least easily, in terms of money. For example, investing in a motivational speaker to boost employee morale to increase productivity. This investment is valuable, but difficult to measure its RoI.

Money spent on Information Technology (IT) is usually considered a cost and not an investment. This is primarily because there is no direct return on the money spent or invested in the improvement of technology. Usually, there is always an indirect return on this type of investment, such as process automation, increased efficiency through newer technology, etc. Over the last few years, cybersecurity has been taking a big bite out of technology investments. Almost all businesses considered money spent on information security as a cost and compare it to buying an insurance policy — it is necessary, and often required by regulations, to invest in protecting data and information security. This is not often considered an investment and the thought of return is almost non-existent.

Cybersecurity is more than a cost, it’s an investment

As in the case with IT in general, cybersecurity does not provide any direct return. Cost to implement security measures, such as firewalls, intrusion prevention and detection systems, vulnerability scanners and log aggregation/analysis tools, do not provide any direct return. However, these tools provide a very valuable indirect returns — and most businesses undermine this return.

A strong example of how cybersecurity is an investment are vulnerability scanners. Static vulnerability scanners are used to find security flaws in the code. However, these tools essentially find defects in the code before they become bugs. Fixing a bug is very expensive compared to fixing a defect. Every bug that the static scanner finds provides indirect return on scanner investment.

Another example is an investment in Security Information and Event Management (SIEM) tool. SIEM tools are used for log aggregation and analysis. Indirect RoI and security benefits provided by centralized logging, analyzing and generating alerts are invaluable. The first benefit is system performance. Logs can alert way before the CPU is over utilized or storage is running out of space. Just imagine finding out this information after the system degrades the performance (or even crashes) – it will be a nightmare for the operations team (and people could lose jobs). Security is another indirect RoI of logging. Logs can generate an alert if there are multiple failed login attempts or the user is trying to login from an unusual place or at an unusual time. Logging can also be used to detect if an employee is trying to access the data that he or she should not be accessing. Lastly, logging makes the compliance very easy. If right data is logged and populated on the dashboard, even the most difficult audit meetings become a cake walk.

Let’s take a real world example. Logs available in SAP S/4HANA can be used to improve security and compliance. Read Access Logs and Security Audit Logs are just two examples. These logs provide lots of valuable information to security professionals. The tricky part of using logs for security and compliance is to figure out what data should be logged, how these logs should be accessed and what to look for in the logs. It is beyond the scope of this or any blog post to describe details about these SAP S/4HANA logs and how to use them for security and compliance – to realize the indirect RoI.  Please refer to the e-bite, “Logging for SAP S/4HANA Security” by SAP Press. The e-bite dives deeper into what data should be logged, how these logs should be accessed and what to look for in the log.

Lastly, the most RoI in cybersecurity is realized by providing training and education to employees. People are the first line of defense to protect a business and its data.  Training employees in security measures should be the most important goal to improve the security and compliance of any business. Any money invested in training employees has almost direct RoI.

Although cybersecurity is considered a “cost” for any organization or business from an accounting perspective, it provides some invaluable indirect return on investments. Finding a software defect early in the development lifecycle, detecting an attack from the logs, deflecting DDoS attacks, or training employees not to click a link on the email that leads to ransomware and other phishing attacks can save businesses millions in the long run. Optimizing these tools and processes is the surefire way to increase the RoI on cybersecurity.