In the midst of one of the 21st century's most challenging economic climates, business leaders are under immense pressure to cut costs without disrupting business continuity and performance.
While cybersecurity budgets were traditionally watertight, the economic recession means even security is not immune from spending scrutiny. It is a known fact that cybercrime rises in times of economic uncertainty. So, with the increasing cyber threat and tighter budgets, how can organizations justify and achieve maximum return on investment (ROI) on their cyber spend?
Getting the most out of your investments
Most security investments are driven by a risk that needs mitigating. So, the first step is to understand your security objectives. What are you trying to achieve from your cybersecurity investment and what use case are you trying to solve?
The biggest mistake organisations make is not having a concrete plan on what their desired outcomes are before they invest in new technology. Don’t just assume that you will be better protected by buying new security technology.
Next, make sure you assess and test your current security posture. Any new security tool should improve existing controls or uplift your security posture, but you can only measure the impact of any investment if you know your current risks.
Quantifying cyber risk can also help justify any investments to the board. For example, what is the financial risk, and what will it cost to implement the technology versus the cost of not doing so? To help, consider establishing a Cyber Risk Score (CRS) that quantifies each potential threat using an established framework like NIST.
Raghu Nandakumara is Head of Industry Solutions at Illumio, with extensive experience in network security operations and engineering roles. He is responsible for helping customers and prospects through their segmentation journeys.
Think about the bigger picture
Once you have a clear idea of your objectives and risk posture, other factors to consider before making a purchase include:
• Is there a materially cheaper alternative to the technology you plan on investing in?
• Will investing in the new capability make your environment more straightforward or more complex?
• Will the solution address multiple challenges?
Introducing more complexity will likely mean a more difficult implementation and more time spent managing our IT infrastructure, which in turn could lead to an increase in operational overheads. At the same time, solutions that can address multiple challenges, have a proven track record of delivering results, and can support future security transformation can deliver much broader business benefits.
Also, consider how the technology will complement and integrate with existing solutions to help drive additional and cost-effective improvements. For example, breach containment technology like Zero Trust Segmentation has been proven to work well with Endpoint Detection & Response technology to boost resilience against ransomware attacks – tests from Bishop Fox show they can work together to stop ransomware four times faster.
How soon should you expect to see a return on your investment?
Before investing in new security capabilities, ensure that you establish a reasonable timeframe for when you expect to see ROI. You should not expect immediate returns, but many businesses invest in new tech that quickly becomes shelfware because there’s no set timeframe to review its performance.
Every security implementation is different, however, six months is usually a reasonable amount of time to expect to see ROI, providing enough time for the technology to embed within the organisation and deliver benefits. Trusted vendors may also have a Total Economic Impact Study that you can use to better understand anticipated benefits.
It’s also important that the vendor understands your goals – both short-term and long-term, and provides a clear view on how they will help you achieve and measure your desired outcomes. Good questions to ask are:
- What results can I expect to see in 6 months?
- Do you have evidence to support your claims?
- How would we work together to achieve the outcome I want to achieve in the timeframe I have outlined?
- How will you help us measure impact?
Finally, don’t forget to get business buy-in. If you implement new technology without engagement from the broader business and a strong mandate from senior leadership down to support it, you are likely to face implementation challenges and could struggle to achieve anticipated ROI.
Look beyond financial advantages
With the economy not yet stabilizing, it is crucial to determine which security investments will provide the best bang for your buck. However, security ROI extends beyond merely financial advantages.
If your objective is to simply replace like-for-like technology then ROI should be judged purely on cost-benefits. However, if you are introducing a new capability or security improvement, ROI measures should be linked to how the technology is contributing to achieving the desired security outcome.
Cyber resilience is - and always will be - a top business priority. But the economic downturn has led to closer scrutiny of the value delivered by cybersecurity investments both now and in the future. Today, every pound spent needs to contribute measurably towards resilience and any investment must have an assured ability to uplift an organisation’s security posture. Ultimately, it’s not about having the most security tools, but the right and most effective ones that can reduce risk, build resilience, and support transformation.
