The Art and Science of Calculating ROI for Security Software: Is It Really A Risk Management Calculation?


Can enterprises and organizations really measure the Return on Investment in digital security solutions? It is not easy, but it is possible when the challenges being solved are looked at through different lenses.

Developing IT budgets for the new year is never easy, and especially hard for 2021, given the constant uncertainty, we are facing in 2020, including the requirement to secure at home working, where access to data is more difficult to safeguard.

When information security professionals recommend and request funding, they are always confronted with the question – how much will it cost, how much will it save, and why should we spend on this compared to other needs?

How long will it take for this investment to pay for itself, either in the form of new revenue or saved costs?

Security investments historically have never been intended to generate new revenue. That is changing, as more customers are insisting on security and as more “commerce” is happening in the cloud, with the exchange of data using APIs, for example. It is now possible to make the case that a more secure infrastructure and environment make platforms and digital services better for customers, and while that is a stretch to calculate, it is a growing reality.

Still, to a large degree, security professionals are paid to make sure nothing bad happens, and if it does, the issue will be resolved immediately.

The best cybersecurity solutions are often invisible to most, including the C-Suite and Board of Directors, but that is also changing dramatically. Board members are asking good questions, and CEOs are not limiting responsibility to a VP or Director of IT level person, rather they are empowering CISOs, along with CMOs, CTOs, and COOs, because the threat risk has grown, and high profile cases are getting extreme media coverage, which has made some victims of breaches go bankrupt.

Hard numbers are available on the costs of many high-profile security breaches. The Target credit card breach cost the company over $300 million. Equifax has paid out over $650 million to settle claims over its massive data breach.  Capitol One’s 2019 breach cost over $300 million.

This week, Ironsphere, a New Jersey-based Privileged Access Management security software provider, introduced a Risk Management Calculator designed to determine the ROI based on specific attributes and levers.

“PAM is an information security and governance tool our clients use to prevent data breaches and attacks through the close and automated management of privileged accounts,” said Orhan Yildirim, CTO, Ironsphere. “A PAM solution consistently protects management accounts, controls privileged user access, enforces segregation of duties, logs user sessions and activities, provides accounting, compliance auditing, and operational efficiency, and helps to prevent security breaches, which have been documented to cost from $4M to $400M, depending on the number of records compromised and the value of the related data.”

Yildirim explained that IT managers and network administrators must efficiently secure access, control configurations, and log all activities in the data center or network infrastructure, where any failure to access privileged accounts could result in a material impact on business continuity.

Historically, organizations have invested in software and hardware-focused on securing the perimeter of their networks, but today PAM plays a critical role in protecting assets and mitigating risk, given that 81% of all data breaches in 2019 were linked to lost or stolen user credentials, and 43% of successful breaches were linked to internal actors, according to the Verizon Data Breach Investigations Report (DBIR).

“As regulatory pressures mount, penalties rise, and reputational damage is done when breaches are made public, an investment in PAM goes beyond technical and tactical, to strategic and smart,” said Orhan Yildirim. “IT and OT teams, especially in large enterprises and government organizations, are under unprecedented pressure to keep work flowing, while protecting networks, applications, and data, and complying with increasingly complex regulations and avoiding large fines.”

When developing 2021 budgets and information security vendor ROI calculations, Yildirim said it is important to use all available data, both internal and external, to make the case. “Remind your management team and boards that there are several advantages: reducing labor costs and being able to track and respond using advanced automation while also insuring against reputational damage that could, in fact, be priceless.”

While cybersecurity has always been a concern, it has become increasingly significant in the recent past, with a higher frequency of incidents, including large attacks, which can have massive economic consequences and can even be deadly. Data, including healthcare data, is more valuable to cybercriminals than ever, but in the rush to digital transformation (and responses to crises, including the 2020 Covid-19 pandemic), organizations of all sizes are unintentionally opening themselves up to the largest source of data breaches.

Learn more about the complimentary assessment and download the white paper here

Arti Loftus is an experienced Information Technology specialist with a demonstrated history of working in the research, writing, and editing industry with many published articles under her belt.

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Special Correspondent

Related Articles

Shabodi Accelerates Adoption of Network-Aware Applications with CAMARA API Enterprise Reference Implementation

By: Special Guest    2/16/2024

Shabodi, an Application Enablement Platform (AEP) provider unleashing advanced network capabilities in LTE, 5G, 6G, and Wi-Fi 6, announced they have l…

Read More

How Much Does Endpoint Protection Cost? Comparing 3 Popular Solutions

By: Contributing Writer    2/2/2024

Endpoint protection, also known as endpoint security, is a cybersecurity approach focused on defending computers, mobile devices, servers, and other e…

Read More

What Is Databricks? Simplifying Your Data Transformation

By: Contributing Writer    2/2/2024

Databricks is an innovative data analytics platform designed to simplify the process of building big data and artificial intelligence (AI) solutions. …

Read More

What Is Blue/Green deployment?

By: Contributing Writer    1/17/2024

Blue/green deployment is a software release management strategy that aims to reduce downtime and risk by running two identical production environments…

Read More

The Threat of Lateral Movement and 5 Ways to Prevent It

By: Contributing Writer    1/17/2024

Lateral movement is a term used in cybersecurity to describe the techniques that cyber attackers use to progressively move through a network in search…

Read More