Building Your Business Case for Cyber Security
‘What is essential is invisible to the eye’, says Antoine de Saint-Exupery’s Little Prince. As odd as it may sound, this phrase becomes a business rule when it comes to cyber security. We’re now at the stage where everyone should be thinking about building their business case for this.
According to a recent survey by PricewaterhouseCoopers (PwC), 38% more security incidents were detected in 2015, as compared to previous years, showing that losses due to global cybercrime are at an all time high. In fact, 24% of organisations have increased their cybersecurity budget in response to this. However, many managers often neglect the cybersecurity budget, not knowing how to spend it appropriately or calculate its value for the business.
When it comes to cyber protection, Europe remains more conservative than the USA, requesting more budget cuts and cheaper alternatives. Global economic pressures mean companies are under pressure to do more with less, and demonstrate return on investment for every spend. By its nature, cyber resilience can be invisible as long as it’s working, so it’s easy for it to be seen as a cost.
If you are a security officer preparing to defend your budget and this task starts to look like a desperate crusade – do not despair! There is a very simple way to convince management to grant you the funding you need. You simply need to prepare a justification that is not only supported by facts and numbers, but also relates to what the management is really interested in – ROI.
Setting the Right Expectations
As cybersecurity is not a service or a product, the only way for it to provide any financial benefits is to protect the organisation from losses. You need to demonstrate how this will affect the company’s budget in a simple and decisive way, without relying on complicated predictions and APT (Advanced Persistent Threats) information.
If you can demonstrate how an investment of $1 can prevent an incident that would cost the company $10, you can easily have the management on your side.
Formulating Loss Expectancy
Let’s start by adapting an Annual Loss Expectancy (ALE) formula to calculate the potential losses caused by poor risk management. We can use the CISSP®-ISSMP® formula, as provided by the International Information System Security Certification Consortium, Inc. (ISC)²® :
ALE = Number of Incidents per Year x Potential Loss per Incident
Having in mind the general statistics, we can accept a number of 12 incidents per year as an average. Always remember to keep the numbers reasonable, as you need to gain trust as an expert and not bedazzle with some marketing trick.
Calculating the potential loss is much more difficult, as it depends on many variables. Recently, U.S. ratings agency Moody’s Investors Service stated that cyber risk will now take higher priority in their credit analysis as an ‘event risk’. Moody’s Associate Managing Director and report author Jim Hempstead admitted that cyber threads are hard to qualify and define because ‘cyber risk means different things for different sectors’. Adding variables like reputational risk and loss of goodwill to the consequences of a data breach makes it almost impossible to predict an exact value.
We can collect data from a trustworthy source and calculate an average for the industry, then use the value for our formula. For example, according to a study by Kaspersky Lab and B2B International published in late 2015, small and medium businesses have been losing $38,000 per incident, due to factors such as system downtime and missed opportunities.
Of course, even using averages gives figures that can be disputed, so it is even better to back it up further with events and costs that can be identified. If you are dealing with online sales, for example, the primary expenses a data breach can provoke are easy to acknowledge:
- Information theft and exposure
- Service downtime
- Specially allocated third-party experts
- Legal fees and compensations
According to the Payment Card Industry Data Security Standard (PCI DSS) ‘any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level’, which will have a significant impact on the business. Understanding average costs for hiring an expert is also more straightforward. If we assumeat least a week of work will be needed in order to find the root cause of the breach and create a new, more efficient defence, we could easily be looking at a $10,000 expense. Taking this into account, the suggested average of $38,000 seems more and more reasonable. In fact, according to the 2015 Information Security Breaches Survey commissioned from PwC by the British government, the average losses for small and medium business range between $112,000 and $466,200. Of course, knowing that a single hack attack cost UK Telecom giant TalkTalk $50 510 600, it is safe to revert to our initial average of $38,000 to calculate ALE:
ALE = 12 x $38,000 = $456,000
With this calculation completed, you now have an average for the losses a company could expect to incur if they do not invest in improving their cybersecurity.
Calculating ROI and Securing Your Budget
To complete the budget justification, it is best to present to your managers with a complete and straightforward list of products and services that can protect the organisation. For example, for an e-commerce organisation the website’s front-end will need to be protected to prevent the possible breach of data. Here is a sample list:
- Web Application Firewall (WAF) – Will prevent malicious SQL insertions and cross-site scripting, meant to access the user’s computer and dispose private data. The system will still remain vulnerable for more sophisticated hacks.
- A Scanning and Monitoring Solution – Extremely important in order to assure that your security measures are up to date and ready to respond to the most recent cyber threads.
- Third-Party Expert Evaluations – Proving that two heads are always better than one and certainly better than automated scanning, High-Tech Bridge Security Research Lab has managed to discover a critical vulnerability in the latest version of e-commerce software Zen Cart, preventing major losses.
- Cyber Resilience Training – As stated by the PwC survey cited earlier 53% of companies are already investing in an employee training programme. RESILIA (Foundation and Practitioner) is a very efficient training aimed to develop the skills and insight needed to detect, respond to and recover from cyber-attacks, which can prove to be crucial for cybersecurity.
If we accept $45,600 as a reasonable fee per year in order to acquire all of the above, we can use the ROI formula suggested by CISSP®-ISSMP® studies by adding the previously-estimated ALE value:
ROI = (ALE/Cost of Countermeasures) x 100% => ROI = ($456,000/$45,600) x 100% = 1000%
Having such a massive positive return might seem a bit unrealistic, but supported by the proper arguments, facts, products and pricing, it should certainly give your management the data they need to make an investment decision.
With all the facts and figures on your side, you are ready to impress and justify your cybersecurity budget: now is the time to build your business case for cyber security.