Calculating the ROI of security investments

Despite recent momentum, cyber security’s rise to the top of the corporate priority list is far from complete.

Certainly many CISOs report directly to the CEO, and are being asked to discuss risk and compliance with their company’s board. Yet over half of security teams say they are underfunded, preventing them from making crucial investments in risk reduction. Fairly or not, many organizations ultimately view their security team as a cost center — a perception that can put security investments on the chopping block when budgets tighten or financial forecasts grow shaky.

To shift this perception, security leaders need to spend significant time building relationships with their peers and aligning the security strategy to broader company priorities. During such a process, it can be helpful to discuss the return-on-investment (ROI) of prior security investments. Such measurements can help fellow leaders understand how much value the security team has already delivered — and potentially convince them to support similar investments going forward.

Aligning ROI measurements to business priorities

Before deciding what kinds of ROI to measure and digging into the data, security leaders should first decide what kind of story they are trying to tell. Any number or metric — no matter how impressive — can feel random if it doesn’t align to a broader business priority.

Here are three common digital priorities and the varieties of ROI measurements which can help support them:

Read on to see specific methods for performing each of these types of measurements.

ROI measurement 1: Revenue saved from reducing web application outages

Many metrics and scores exist to quantify risk, and reductions in it. These scores can of course be helpful for security teams, but they may feel too abstract for other people in an organization to grasp.

Instead, when talking about the impact of security enhancements, try to tie them to a number the whole business cares about. In a web application security context, one such number is the revenue generated by said web application. Measuring how your security improvement protects revenue is far more concrete than an isolated risk score.

In order to perform such a measurement, you’ll need the following data:

1. The amount of attack-related downtime your website experienced before and after the investment in question. Ideally measured in hours over the course of a year, since a shorter time window may overlook high sales periods. Chances are, it will make sense to get different versions of this figure for different types of attacks (e.g. DDoS, malicious bots).
2. The hourly/daily cost of downtime on your website. For B2C companies, your ecommerce team should be able to tell you how much revenue your website generates per hour. For B2B companies, your marketing team may be able to tell you how many leads or form-fills your website generates per hour/day, and the average value of a lead. Either way, a broad monthly/yearly average is a good starting point — though you may wish to take the average from specific periods (e.g. holiday shopping) if that’s when your attacks tend to occur.

With these numbers, you’ll get a strong estimated measurement of how much revenue you have protected by blocking more of a certain type of attack. You can use this measurement to build buy-in for an expansion of the original project, or simply to demonstrate that related projects will have a meaningful impact.

ROI measurement 2: Reduced web application breach risk

Some security investments don’t directly influence revenue — e.g., if they focus entirely on preventing hypothetical future breaches. In such cases, security leaders have a delicate balance to strike when measuring ROI. On one hand, proprietary risk metrics may be hard to grasp. On the other, average-cost-of-data-breach figures can be quite large, which may feel alarmist. And security leaders know they cannot simply promise to prevent all future breaches.

To take a more measured approach, security leaders can use the following figures:

• The likelihood of experiencing a breach in a given time period. Depending on the data available, it may make sense to use real company data or an industry benchmark.
• The average cost of a data breach. Again, industry benchmarks can help make this figure feel more accurate.
• Percentage of breaches which originate in the attack surface / vector in question.
• Percentage of risk reduction via the security investment. Use as widely accepted of metrics as possible. E.g. for web applications, it may help to determine how many of the OWASP Top 10 the security investment addresses or prevents.

These figures allow security leaders to create a more nuanced estimate of breach-related cost savings, and help fellow leaders grasp an ultimately uncertain idea in a more tangible way.

ROI measurement 3: Cost savings via team time saved

For investments with no direct impact on the organization’s risk profile, security leaders should still try to demonstrate impact on team productivity and efficiency. If your security team saves time (or stands to do so) by making a particular investment, the initial price tag may seem less worrisome to fellow leaders. In addition, more team time means more time to focus on more strategic work.

One way of calculating this requires the following figures:

• The average hourly cost of employing a security team member. Depending on the nature of the investment, you may wish to focus on specific team members affected by the investment, or extrapolate how it could affect the whole team.
• The amount of hours saved per week/month/year by your security investment. This may involve some estimation of the average amount of time it takes to perform relevant tasks, e.g. answering tickets, updating policies, or onboarding users. In addition, shorter time periods may be more useful for resource-planning purposes, while longer time periods may work better for overall cost-savings contexts.

In addition to the aforementioned benefits, multiplying the two figures will create a measurement that can make time savings tangible for leaders who may not appreciate how valuable security practitioners are.

The right security platform drives higher ROI

You can’t measure the benefit of a security service if the benefit never happens in the first place. And unfortunately, many security platforms have structural flaws that reduce the efficiency and visibility they provide for reasons like:

• Needing manual integration and/or extra unifying services in order for everything to work together
• Multiple UIs for different collections of services
• Various services living on different infrastructure, resulting in performance and availability issues

Cloudflare’s connectivity cloud — a unified platform of cloud-native security and connectivity services — is different. It was built from the ground up with efficiency, visibility, and control in mind, through:

• Composable, programmable architecture: With every service able to run on every server in the network, and customizable via easy serverless functions.
• Global, ubiquitous reach: Spanning over 330 global cities and interconnecting with over 12,500 other networks.
• Cross-functional threat intelligence powering every service: Gleaned from serving ~20% of all web traffic.
• A unified, simplified interface: Where users can manage every security service through a single pane of glass.

A recent Forrester study found that a composite organization representative of interviewed customers protected nearly a million dollars in revenue, reduced web application breach risk by 25%, and delivered 238% ROI over three years.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper into this topic.

Learn about the ROI of Cloudflare’s connectivity cloud — including specific measurements like these — in the Forrester Total Economic Impact of Cloudflare’s connectivity cloud report.