The Price You Have to Pay: How can you prove return on investment?

By: Jordan

8, November, 2019


News -



Data breaches are not new to companies and individuals affected by them; however, the format and the nature of cyberattacks are changing with every passing day, as attackers get craftier. From Yahoo and Pitney Bowes to Equifax, major companies and organizations have not been very successful in completely fending off cybersecurity breaches but their team of cybersecurity experts and some level of cybersecurity defences have helped in reducing the impact of the catastrophic data breaches.

A recent shocking revelation by Chinese company Huawei facing a million cyberattacks per day, further emphasizes on the increasing risk of cybersecurity breaches.

Cyber risk has been named as the biggest concern for businesses in the latest 2019 Travelers Risk Index survey, with cybersecurity risks being the topmost concern for 55% of the businesses across the globe1.

Cost of cybersecurity breaches

Companies are not worried about the growing cyber risks just for no reason. Potential impacts of cybersecurity breaches are not confined to data losses only but cover a host of other aspects including loss of credibility and brand damage, loss of customer trust, unauthorised exposure of classified information and monetary losses.

According to the latest “Cost of a Data Breach” report by IBM and the Ponemon Institute, the average cost of a data breach to a business in 2019 is estimated at $3.92 million2.

A data breach costing almost $4 million could be catastrophic for some businesses, even leading to shutdown of business.

Cybersecurity Spending

As the world sees more and more instances of gruesome cyberattacks, companies are growing increasingly fearful of the damage such an attack could inflict on their operations and are spending on beefing up their cybersecurity defences.

Global spending on cybersecurity solutions is projected to surpass $1 trillion, cumulatively, between 2017 and 2021, according to a report by Cybersecurity Ventures. A report by Gartner predicts global investment on information security (a subset of the cybersecurity market) to reach $124 billion in 2019 and $170.4 billion in 2022.

Should you adopt cybersecurity solutions?

It’s a no-brainer that hackers attack big companies to inflict greater damage and extort highest possible amount. But this does not mean that small and medium enterprises are immune to cyberattacks!

According to the Verizon 2019 Data Breach Investigations Report, small businesses are being increasingly targeted by attackers, with 43% of cyber-attacks aimed at small businesses.

Deployment of robust IT security infrastructure and having a strong team of IT security experts could help in reducing the impact of cybersecurity breaches, if not alleviate the risk altogether –which, by the way, is a next to impossible task, with all the digitalisation and emergence of technologies that are boon and bane at the same time.

The report by IBM and Ponemon Institute found that companies with security automation technologies suffered nearly half the cost of a breach at $2.65 million on an average, as compared to the companies that did not deploy such technologies and suffered $5.16 million in damages on an average due to a breach.

These figures should give you a rough idea of how important security solutions could prove to be for your business. Despite the realisation of the importance of a robust IT security infrastructure, many discussions in the board rooms ultimately come down to a single point- Returns on Investment (ROI) into security products and solutions.

There are several factors that come into play when you have to justify the ROI of the security products and services that need to be deployed in order to strengthen the security defences against hackers. An attack could lead to compromise of general and sensitive data, decline in brand image and thereby the company’s valuation and ratings, loss of customer trust, legal fines and litigation charges resulting from class-action lawsuits against the loss of data, and operational outage, all of which will cost a company dearly.

Moreover, not all these damages are direct and a company and its management might take a little long to understand the actual damage caused by a data breach. A classic example of this is Yahoo’s data breach, which severely affected its reputation as well as valuation, as Verizon Communications, which initially proposed to buy Yahoo for about $4.8 billion in 2016, concluded the purchase after paying just $350 million in 2017. Not only this, Yahoo is now settling the class-action lawsuit, associated with the data breach, estimating to pay approximately $117.50 million to Yahoo account holders.

You certainly don’t want to be in a situation like this and pay a hefty price for not adopting reliable security solutions. Do you?

But, since numbers reign supreme when running a business, you should know which solutions have to be adopted and how beneficial will they prove to be in the mid to long term, as attacks get more sophisticated.

Cybersecurity: Returns on Investment

Investment in cybersecurity solutions could be quite expensive, so try to justify the investment by first factoring in the tangible and unavoidable direct costs that will affect your business, if a data breach happens.

You can calculate the Annual Loss Expectancy (ALE) from a cybersecurity breach by implementing the CISSP®-ISSMP®’s ALE formula:

ALE = (Number of Incidents per Year) X (Potential Loss per Incident)

You can study the market, the industry you cater to and your business to better estimate the number of incidents that could affect you in a year. Consider different types of attacks –of different magnitude- that your business could face and calculate the average cost per breach in your industry, after referring to a reputable market research source.

Calculate the ALE based on the number of incidents that you believe you might face and the average cost of a breach you expect from each incident, after factoring in direct financial losses. Assume the calculated ALE to be a base figure, as the actual losses may vary and will most likely aggravate with every incident and the resulting repercussions.

Now consider different type of security products and services that might suit your requirements. Calculate the price/quality ratio of different solutions and determine a group of solutions that you feel will offer optimum protection across different levels, after carefully considering your budget restrictions. Let the cumulative value of all the solutions, within your decided group, be the Cost of Countermeasures.

You can calculate the ROI with the help of the formula from the official guide to CISSP®-ISSMP®, which is-

ROI= (ALE/Cost of Countermeasures) X 100%

This will help in giving you a fair idea of the returns/benefits you can reap by investing in certain security solutions and guide you in selecting the most apt solution for protection of your business.

Investment in Training

Companies should proactively invest in training its employees and partner vendors on cyber threats and importance of following good practices, as a significant number of data breaches result from insider activity, which could be intentional or unintentional in nature.

Investment in reliable and sophisticated security solutions, hiring of security experts and creating awareness about cyber risks amongst employees and partners will definitely prove beneficial, as cybersecurity is ultimately about management of risks and prevention of losses.