Blog

Proving Cybersecurity Return on Investment: Cyber Moneyball

“How do you prove cybersecurity return on investment?” is a common question we get all the time. In the previous installment of Cyber Moneyball, I covered why focusing on vulnerability management to avoid cyber threats is a waste of time. Today, I’m going to talk about cybersecurity ROI and how to find the right cybersecurity solution for your organization.

Cybersecurity ROI has traditionally been difficult if not impossible to prove. I hear it all the time from security leaders: you can’t prove a negative, so we have no way of knowing our return on investment for cybersecurity products. There are three things you need to know to prove your cybersecurity investments are worth it — or not: You need to understand the value of what’s being protected, how much your security solutions cost, and how well they are performing. Watch the video below for more on how you can do so.

Proving Cyber ROI

The ability to prove the effectiveness and value of cybersecurity investments is one of the cornerstones of a mature security program. By testing your production environment against threats, we can gain insights into how much risk your tools are actually mitigating. Then you can compare that to the value of systems that could be compromised to find out how well your investment is paying off. You can get granular with that data to see how ready your people, processes, and technology are to ward off cyber attacks.

Of course, it’s not as simple as flipping a switch or installing a new application. In addition to testing your systems, you need to do a thorough risk assessment to find the overall value of your assets and what’s at stake for your organization. I promise it’s worth the effort. Knowing what you have and how well protected it is in concrete terms opens up the door to making strategic decisions about how to improve your security posture efficiently and effectively. Using this approach, you’ll be able to measure the results as you mature.

To learn more about how to improve your cybersecurity by focusing on cyber readiness instead of proxy statistics, contact SightGain today.

Video Transcript

Timestamps
0:00 Intro
0:36 How to Prove Cyber ROI: Readiness Approach
1:07 How to Prove Cyber ROI: Against Threats
1:46 How to Prove Cyber ROI: To Overcome
2:08 Review

Boards and the executives want to know are we getting a good return on our investment? Are we spending money in the right places? Are we able to stop this latest threat with our current cybersecurity solutions? We often hear it’s a challenge to answer this question and be able to prove it with empirical data. So that’s what we want to talk about today, improving your cybersecurity return on investment.

I used to hear it all the time, you can’t prove a negative so we have no way of knowing our return on investment for cybersecurity solutions.

0:36 How to Prove Cyber ROI: SightGain Readiness Approach

However, with SightGain, we can test your system to provide you with the data you need to understand performance.

I used to help a large federal agency manage its cybersecurity program. Do you want to know how they made decisions about which cybersecurity products they were going to buy? It was whatever Brian said. Who’s Brian? It doesn’t really matter. It’s just that he had a big personality and no one had any data to argue against his opinion. So the agency wasted millions of dollars on solutions because Brian said so. We have to change that approach.

1:07 How to Prove Cyber ROI: Protect Against Cyber Threats

The SightGain Readiness Platform tests your system against adversary threats and gathers performance data. We gather this data against all of the cost centers in cyber, people, process, and technology.

Next, we look at the overall value of the organization. What’s at stake? How much could be at risk from cyber? We translate the performance of your cyber tools against this value to understand risk exposure and how each component of your system contributed to reducing the overall risk.

Finally, with the performance information for each part of the system, we can look at the costs to see which components have a good return on investment, given their performance.

1:46 How to Prove Cyber ROI: Challenges To Overcome

The biggest challenge that an organization needs to overcome in identifying improving their ROI is identifying the overall value in exposure that the organization has. Sometimes this information is nuanced, and it takes a little bit of work to suss it out. However, it can be done and it’s important to understand what’s being protected, how much is that worth, and how we do it.

2:08 Review

So in review, take this information across people, process, and technology, marry that up with the overall risk of the organization and figure out how much each component has contributed to reducing that risk, and then finally matching that up with the costs of each of those solutions to figure out did we get a return on our investment for this part of our system versus another, as well as informing investments in the future to say what solutions should we choose and why, and is it going to have a good return on investment before we ever make a decision.

Click the link below to find out more about how we understand cyber threat risk management and how you can prove your ROI on a daily basis.