How to maximize your security budget while demonstrating ROI

The 2021 Positive Technologies Cybersecurity Threatscape report revealed that cyber attacks remain on the rise in the post-pandemic world, increasing by 17% compared to 2020. Ransomware remains the most-used malware by attackers. With the average ransom payment values up by a staggering 82 percent in 2021, it’s understandable why data breach concerns drive security spending. Businesses must be able to demonstrate to their customers and partners that they have clear and robust security measures in place.

However, it can be a challenge to assign an accurate monetary value to a data breach, which makes it difficult to demonstrate ROI on security spend.

Change the attitude: Consider measuring positive business outcomes instead

Assigning security budget based on the potential cost of a data breach focuses on a negative consequence, and doesn’t always help build an effective business case for investing in security.

Instead, organizations should focus on how security investment can demonstrate a positive business return, such as these key catalysts for security spend:

• Competitive advantage
• Best practice and customer assurance
• Regulatory compliance
• External audit
• Contractual obligation with a supply chain, bid or procurement process

So, we’ve identified five key areas where security provides a positive outcome for the business. But can they help you maximize your security budget and demonstrate ROI? Let’s consider them one by one.

Competitive advantage: No longer a business case for security spend

Rewind 10 years to 2011 when Netflix was still renting out DVDs, employees working from home was unusual and organizations still operated under the 1995 Data Protection Directive. In those days, having enhanced data security may well have provided a competitive edge, especially if you wanted to work with the “rich and paranoid” sectors such as finance.

Yet this is not true for most industries today, when having robust data security has been elevated from a great-to-have to a must-have. Good security practice is a requirement, so competitive advantage can no longer be presented as an effective business case for security spend.

Best practice: A challenge to quantify

Can we instead cite best practice as providing ROI in our security budgets? Organizations that follow best practice will certainly be able to protect their intellectual property and critical data assets. Plus, they will significantly reduce the risk of disruption to their business continuity.

However, it can be a tough and time-consuming challenge for some organizations to quantify exactly what “best practice” means for their business. And adopting best practice strategies can require significant investment; it can be expensive. Furthermore, best practice strategies are usually aligned with business strategy alongside regulatory and compliance mandates.

So, while a best practice data security strategy will send a positive message to customers and partners, it presents a weak case for proving a specific ROI in your security budget.

Regulatory compliance: A business cost

Although regulatory compliance is certainly a driver for investing in security, it is generally seen as the cost of doing business – fail to comply with regulatory requirements and the business itself is at risk.

Regulations such as GDPR are cross-industry, while some are sector specific, such as the Financial Conduct Authority (FCA) regulations, the International Traffic in Arms Regulations (ITAR) and the Health Insurance Portability and Accountability Act (HIPAA). Having a broad understanding of compliance for such regulations does not fit within the usual IT security skill set, where regulation is often considered a less inspiring reason to conduct security.

Compliance can require a significant investment – not just in technology but in specialist people and processes. For example, a business must comply with 12 operational and technical requirements to meet the Payment Card Industry Data Security Standard (PCI DSS).

So regulatory compliance generally falls to the business budget rather than security, and so is not useful to cite when trying to prove ROI in a security budget.

External audit: Usually reactionary

What about external audits? Can they demonstrate ROI in a security budget?

Again, no. In most cases, external audits are conducted as a reaction to legal regulations or an organization’s group requirements, which assign them to a general business responsibility. The business will need to react to the audit’s output, conclusions, and recommendations. Any gaps will require additional or reallocated budget, which makes it a business responsibility. So, while external audits may drive security spend, they can’t really help show ROI in security spend.

Contractual obligations: Security requirements are clearly specified

Now we’re talking. When it comes to contractual obligations within your supply chain, or your bid and procurement processes, the security required to protect each business’s data or networks will be clearly stipulated.

While organizations will differ in approach depending on their risk strategies, there are common security controls that all organizations should expect. These may include, for example, annual penetration testing, phishing assessments, regular firewall audits and a Security Information and Event Management (SIEM) or Security Operation Centre (SOC) to monitor events and respond to incidents.

These specific and clear-cut contractual obligations make it easy to demonstrate ROI in a security budget. For most organizations, the ROI can be found in three key areas:

• Maintaining existing service agreements
• Streamlining the onboarding of new customers
• Continual assurance to customers that they are following contractual obligations.

The security controls typically required when working with a customer or supplier include security certifications and information security frameworks such as ISO 27001 or its more affordable and achievable alternative, the IAMSE Governance standard, which includes GDPR requirements and Cyber Essentials. On that note, if you’re tendering to government agencies, Cyber Essentials and Cyber Essentials Plus are imperative.

Yes, these controls require significant time and financial investment, but they demonstrate a clear and specified security commitment to the customer and supply chain in an environment where it is easy to demonstrate a clear and positive ROI, offsetting contract values against a security budget.