How do you know that your cybersecurity spending will provide you with a ROI?
Cybersecurity spending is increasing to the tune of a 24% increase in 2015. Still, it can be a difficult sale to management when it comes to budget hearings. Management may ask for ways to find a cheaper alternative or simply remove requested items. How can you convey the importance of the spending and provide them with a realistic ROI?
Make sure that you are using terminology and language understandable by management. Instead of attempting to frighten them into approval by warning about the risks of Advanced Persistent Threats to a website, tell them about the number. Give them a calculation they’re used to hearing about: an Annual Loss Expectancy (ALE).
Here’s how to define that.
-
Start with a simplified formula provided by CISSP-ISSMP: ALE = (number of incidents per year) * (potential loss per incident)
-
Define the number of incidents per year. Let’s say we’re calculating an ALE for protecting an e-commerce website. A safe bet would be to expect at least one intrusion attempt via the front-end website per month.
-
Define the potential loss per incident. This number isn’t straight forward, as an incident can affect reputation, stock options, search-engine optimization, financial data and even your company’s credit rating. Look to a reputable source in your industry to find an average cost. Taking our e-commerce site example, the average cost for a small business is $38,000 per cyberattack (ouch!).
ALE = 12 * $38,000.
Your Annual Loss Expectancy could quickly be calculated to equal $456,000. You take this number to management and explain that this is the number they should EXPECT to lose this year if they do nothing. That’s a few salaries they might not be able to afford.
With this information, you then take it to the next step in order to define an ROI. With an expert company in protecting your data (such as ours), we can help direct you in providing the most efficient and effective products and solutions to protect against this loss. For the e-commerce site, you may need:
- web-application firewall
- continuous security monitoring
- regular manual assessments
Let’s estimate that these three items cost $45,000 per year. Now we do some math again.
ROI = (ALE/cost of solutions) * 100%.
ROI = ($456,000 / $45,000) * 100%
ROI = 1013%
Take that number to your budget hearing and get approved. With the right research, formulas and realistic solutions, you can present a straight forward request for the cost of protecting your company’s data. It’s a must-have.