This isn’t to say that ROSI or measuring security in qualitative terms isn’t valuable. Of course it is; we want to stop bad things and we want to know that our security solutions are working effectively. But it is worth contrasting these two approaches to better understand how ROSI and ROI can be leveraged when trying to justify budget, align the security budget with business priorities, and do all this while still focusing on risk reduction.

Qualitative measures:  ROSI

There are very specific investments that can be made in security that reduce risk and are also measurable in terms of dollars; we’ll get to those in the next section. However there are also a number of subjective measures that while more qualitative, are important variables in determining the health of an organization’s security posture.  

Consider washing your hands – it’s probably a good idea for my kids to wash their hands when they get home from school. While I know it is a good idea, and they know it too, even though their first instinct is to turn on Phineas and Ferb and turn the remote control into a Petri dish, I would have difficulty associating a monetary measure with them washing their hands at that instance even though it know it might help me avoid medical bills, missed school, etc. Switching back to security, some examples of ROSI include:

• Enhanced ability to prevent malicious activity
• Improved incident detection to incident remediation threat window
• Enriched decision making predicated on more exacting security data
• Increased efficiencies when generating reports to placate auditors
• Fewer compromised assets engaging in C2 communication

All of these ROSI examples are highly relevant. They make intuitive sense and are for the most part inline with the philosophy that many security experts use to validate what they do and why they many need more money and resources to do it.  But depending on the organization, assigning actual dollar values to these bullets may be extremely difficult.  Also, if your organization isn’t as security aware as you might wish, and they still think about computer security in terms of locking up your floppy disks, you may need to provide them with some more tangible monetary measures.

Quantitative measures:  ROI

The examples given under the ROSI section might not fit into one of the many concise ROI formulas such as:  (Gains from Investment – Costs of Investment)/Costs of Investments = ROI. And if that ROI is positive we generally see this as a good investment. If that ROI is negative, we generally see this as a bad investment; as in you don’t want to spend $100 on a $1 issue. There are other variables that must be considered for an accurate calculation such as adjusting for the timing of a positive or negative cash flow to allow for the time value of money. But that’s beyond the scope here and you get the general idea without having to pull out a financial calculator.

Security isn’t often thought about in terms of making money or saving money, but it can be. More organizations are asking their security teams to align with their business priorities and as such provide ROI measures. Here are a few use cases that illustrate how it can be used.

ROI example 1

Taking advantage of security suites and APIs that integrate products across vendors may yield the following gains:

• Using fewer security solutions and vendors
• Minimizing vendor product training for technical staff
• Reducing duplication of efforts
• Achieving greater purchasing strength by purchasing more from fewer vendors

All of these items in example one can be directly measured in terms of dollars. For example, we may save a million dollars a year in maintenance just by moving from seven security vendors to four security vendors and taking advantage of integrated suites and vendor partnerships to provide an equally strong if not stronger security posture. We might cut $100k in training costs, and move two FTEs that were doing essentially the same thing as two other FTEs on a different product onto other tasks. And or course the more you spend with a singe vendor, the deeper the discounts.

ROI example 2

Enriching existing security controls with solutions focused on making what you’ve got – better is a great ROI measure. There is often a push, by vendors, to sell you the latest and greatest control to stop the latest and greatest attack. In many organizations they’ve got the tools already, they just need to improve upon them; sort of like putting a supercharger in your 4×4 so you can tow that boat to Lake Tahoe without a minivan passing you. Some examples include:

• Getting three more years of life out of a five million dollar SIEM solution by linking it to big data security analytics solutions
• Using threat feed services integrated into your perimeter controls to reduce the number of malicious sites your employees visit and as such reduce the number of systems that need to be re-imaged
• Empowering your existing IPS and network-based anti-malware solutions to actually see encrypted traffic crossing the network through SSL decryption tools

In example two the dollars saved by not having to rip and replace existing infrastructure can be measured and the value gained, as in example one, also contributes to reduced risk.

This is somewhat analogous – and by somewhat I mean a pretty big stretch – to the cooking show Chopped where chefs are given a basket of ingredients and told to use what’s in the refrigerator and pantry to make it better. Most organizations aren’t trying to decide if they need firewalls, IPS, and anti-malware solutions. What they really need are solutions that improve on what they’ve got and in doing so improve ROSI and ROI.

How are your organizations going about this discussion? Is security simply being asked to reduce risk, or is security being asked to align with business priorities and demonstrate ROI?