TIPS #25: Maximizing ROI across the Security Stack

A note from the author:  

Forgepoint’s community of cybersecurity and technology leaders provides essential insights and feedback on the TIPS series. While writing this edition, we heard from Andres Andreu- serial CISO and entrepreneur, now Deputy CISO of Hearst- about how he contextualizes governance, risk, and compliance (GRC) initiatives as a longtime cybersecurity leader across numerous organizations. His commentary is the perfect preface for the blog post below.  

Issue: Cybersecurity investments must demonstrate a clear Return on Investment (ROI). This is only possible with an active and well-aligned security posture driven by GRC. Unfortunately, most companies underinvest in GRC. Unfortunately, most companies underinvest in GRC and security posture management, leading to trickle down effects that reduce ROI. 

CISOs and security leaders need to demonstrate a clear ROI from their cybersecurity stack in today’s business environment.  

ROI in security generally means being able to prove that you can achieve security at a lower cost than simply detecting and responding to incidents. It is a measure of loss prevention: time or money saved from avoided incidents. 

Total Cost of Ownership (TCO), a metric traditionally used to evaluate security tooling investments, is no longer sufficient in this new paradigm because it doesn’t take loss prevention savings into account. It only measures ownership costs like the purchase price, ongoing management and maintenance costs, and other operational costs.  

As a result, many companies are turning to market-tested capabilities- known quantities with a proven ROI- instead of transitioning design partners to paid client relationships where there may be a known TCO but an unclear ROI. At the same time, buyers are increasingly looking for opportunities to make security investments that qualify as capital expenditures (CapEx) instead of operating expenses (OpEx) to gain efficiencies in their near-term expenses and income statements.  

The expectation for ROI in security is clear- so what is the best way to measure and deliver it? 

Reducing Value at Risk (VaR) to Deliver ROI 

One of the most useful metrics for demonstrating ROI in security is Value at Risk (VaR). VaR quantifies the potential for loss from an incident and the probability that the defined loss will occur over a particular time frame. For example, a company’s VaR might be a 3% chance of a 10% loss in profits from an incident in the next year.  

Consider the graph below, which visualizes VaR around the kill chain and Security Operations Center (SOC) tickets (a proxy for incidents):  

People, technology, and process issues- misaligned security posture, in other words- have a direct impact on VaR and therefore ROI. The weaker and less aligned a company’s security posture is, the higher their VaR and the more incidents (SOC tickets) they will experience in the later stages of the kill chain (costly breaches and compromises). This lowers ROI.  

Conversely, the stronger and more aligned a company’s posture is, the less likely they are to experience a highly impactful incident and the fewer incidents (SOC tickets) they will experience later in the kill chain. This raises ROI.  

Similarly, more active security postures will result in more proactive SOC actions (Identify, Prevent, and Defend) whereas more passive security postures result in reactive actions (Respond and Recover).  

The takeaway here is that a proactive security posture helps companies detect incidents earlier in the kill chain, reducing VaR and therefore returning a higher ROI from security investments. Security tools, policies, and procedures which support critical business objectives and prevent costly incidents will deliver the best ROI. 

Ensure an Active Security Posture with GRC  

This is where Governance, Risk, and Compliance (GRC) comes into play. GRC ensures that your security posture is optimized to align with business objectives, meet regulatory requirements (like GDPR and DORA), and manage risks. Strong GRC enables a more active security posture, lowers VaR by helping you detect incidents earlier, and improves ROI by lowering insurance, audit, response, and other costs.  

Unfortunately, many companies don’t invest in sufficient GRC to achieve a calibrated and well-aligned security posture. This has a trickle-down effect, raising VaR and leaving them at a greater risk of experiencing impactful and costly incidents. 

Impact: Fragmented and inefficient security, decreased security tooling investments, and heightened cyber risks.

Security teams that fail to properly invest in GRC don’t drive ROI across the security stack and are more likely to underinvest in key areas. They typically have poorly coordinated tools which under-protect the business and do not align with key business and regulatory objectives. 

This increases the risk of successful attacks, breaches, and compromises, leading to higher recovery costs, greater losses from business disruption, and more regulatory violations. Companies that don’t properly enhance their security posture with GRC are also likely to pay higher cyber insurance premiums than those that do. 

To illustrate the impact of insufficient GRC, consider the 2017 Equifax data breach, one of the largest U.S. data breaches on record.  

2017 Equifax Data Breach and $575M Settlement 

In 2017, credit reporting agency Equifax experienced a massive data breach which exposed personal information including names, Social Security Numbers, and dates of birth for 147 million customers. Equifax’s security team had identified a critical database vulnerability in March and ordered patching within 48 hours, but the company never followed up to patch the systems. In July, the security team detected suspicious network traffic and determined that attackers had exploited the database vulnerability to gain network access before obtaining unsecured admin credentials and stealing the sensitive customer data.  

The Federal Trade Commission (FTC) soon filed a complaint alleging that Equifax had failed to secure sensitive customer data and violated the FTC Act’s prohibition against unfair and deceptive practices along with the Gramm-Leach-Bliley Act’s Safeguards Rule. The complaint clarified that the company did not have an effective patching policy, utilized unsegmented database servers, had ineffective intrusion detection systems, and used plain text password storage.  

In 2019, Equifax agreed on a settlement of at least $575 million (and up to $700 million) to provide credit monitoring and identity theft services to impacted customers, in addition to making payments to 50 U.S. states and territories along with the Consumer Financial Protection Bureau. The company also agreed to take steps to improve its data security practices, which included annual risk assessments and ongoing security program monitoring and testing.  

Action: Leverage GRC to improve security posture management and ensure maximum ROI across your security stack.

1) GRC  

GRC is ultimately an efficiency gain. It drives and defines the ROI of a security program by enhancing security posture: the tools, policies, and procedures used to protect the company and its customers. Strong GRC ensures that your investments are selected and deployed to align with business needs and protect key resources.  

Hyperproof operationalizes GRC by enabling you to automate workflows, prepare for audits, and mitigate risk in a unified platform.  

2) An Active and Strong Security Posture 

As discussed in TIPS #10, your company needs a well-calibrated blend of preventative and reactive capabilities across the security stack to protect core business functions. A business-aligned posture that addresses key resource dependencies is critical to prevent breaches and compromises, in addition to generating better ROI by lowering insurance, response, and other costs. SolCyber enables companies to leverage a full range of active and passive security capabilities in a unified, fully managed platform.   

a) Perimeter and application security posture

Bishop Fox’s fully managed Cosmos platform combines advanced attack surface management and expert-driven pen testing to help your team identify and remediate exposures and vulnerabilities. Cosmos helps you meet external threats with continuous attack surface testing and an active perimeter and application security posture.   

b) Data security posture

SPHERE’s SPHEREboard platform offers Data Security Posture Management (DSPM) to reduce identity and data risks in your organization and ensure an active data security posture. 

c) Cloud security posture

Uptycs’ Cloud Security Posture Management (CSPM) solution gives you visibility over cloud-based resource dependencies and helps you align your policies and tools to enable stronger and more active cloud security.    

3) Cyber Insurance 

Investing in cyber insurance can improve your risk management outcomes and strengthen your security posture. Converge Insurance combines cyber insurance expertise, risk management, security, and technology to provide comprehensive cyber insurance coverage. 

4) Incident Response 

Even the strongest security posture isn’t immune from vulnerabilities and weaknesses. Ensure you’re prepared for any incidents that slip past your defenses. Surefire Cyber empowers companies to mitigate response times and costs with a comprehensive incident response plan and team.