Security Advisory: Guidance to get Management Buy-in for your security initiatives and Return on Security Investments (ROSI)
In the last six posts of our new series, "Secure Your Start-ups" (follow the hashtag #sumerusecureyourstartup), I have walked you through various elements of securing your start-ups.
This article will help you understand the value of security advisory and how you can tread the path with the right security strategy.
Let's start.
Security Advisory Market
You'd be surprised to know that the Security Advisory Market Services Industry has been increasing at an accelerating rate. Every organization (start-ups, too) has been thinking of including security advisory in their security strategy.
According to the Verified Market Research, the global security advisory services market has been expected to grow at an 18.95% CAGR. The market value is expected to increase by $24.06 billion by 2027.
The pandemic has forced the world to think about security even more. Security advisory now can't be an after-thought (never should be) but should be a proactive element in your overall business strategy, especially during the early stages of start-ups.
[In the first article of our 'Secure Your Start-up' series, we talk in length about Sumeru's approach to implementation of a security strategy on a minimum budget. You can read it here]
According to MarketsandMarkets.com, Sumeru is one of the top players in the security advisory services in India, and our mission is to help you fight that resilient battle against cybercrimes.
Let's talk about one of the significant elements of security advisory – Security budgets and ROSI in detail in this first part of the two-part security advisory series for the start-up.
Advisory on getting management buy-in for Budget
Now let's talk about the security budget.
As per the Data Security Council of India (DSCI), the cybersecurity services industry in India is expected to reach $7.6 billion in the year 2022 from $4.3 billion in 2020. If you look closely, you'd see that it's a whopping $3.3 billion of growth in just two years.
When every organization is increasing its security budget as a start-up, it could be daunting. But you need to realize that prevention is always better than cure. Why incur 100x cost when you can manage it now with a meager percentage of expenditure?
The cost seems more until you look at the possible losses a data breach can cause (if you're not proactive enough).
According to the IBM Cost of Data Breach Report, the average total cost of the data breach has risen from $3.86 million in 2020 to $4.24 million in 2021.
Investing a proactive amount in your security budget can't be an after-thought.
And you're not alone in deciding this strategic move.
Sumeru works with your team to identify an appropriate budget that will get you a management buy-in. Here's how it works -
Once you can set the right priorities for the board and management regarding the security budget, Sumeru's team will walk you through understanding the mitigation effectiveness for high business-risk assets.
Here are a few templates that you can use to create & present a security budget to the management (pls note that the following templates are just samples for making you understand the solution, not exhaustive propositions) -
Return on Security Investments (ROSI)
Return on Investment (ROI) is applicable for any business of any scale, and security investment is no different. But it is challenging to measure security as it is not an investment that provides profit but helps more in loss prevention.
Management people always like to know the impact security has on the bottom line - how much to invest, and the metrics used for tracking the ROSI to understand the overall financial impact balancing the potential breach values.
Recommended by LinkedIn
The calculation of Return on Security Investments (ROSI) differs from the traditional one. The idea is to reduce the risk due to the threats on your assets and how much loss was prevented due to the security investment.
Sumeru recommends the following metrics to measure ROSI (as Enisa, European Union Agency for Cybersecurity articulated)
For arriving at a monetary value of risk, a quantitative assessment needs to be carried out based on the following parameters:
Single Loss Expectancy (SLE)
SLE is money expected to be lost due to risk and is typically considered the total cost of an incident occurring once. This should consider all the assets and the cost of direct losses such as downtime, data loss, etc., and indirect losses such as forensic investigations, brand & reputation loss, etc.
Annual Rate of Occurrence (ARO)
ARO measures the likelihood of a security incident happening in a year and can be referenced from historical records.
Annual Loss Expectancy (ALE)
ALE is nothing but the annual monetary loss from a specific risk and is calculated as
ALE = SLE * ARO
The mitigation ratio is the risk percentage prevented by the security solution and is an approximate number.
Finally, to arrive at the ROSI,
For example, let's consider the case that you are looking at performing a source code review for your business-critical application. There are about five vulnerabilities introduced on average every year.
And each vulnerability, when exploited, can result in a data loss and business downtime of about INR 5,00,000/- with the ALE coming to 25,00,000 /- (5*5,00,000).
The source code review is expected to prevent 80% of the vulnerabilities and costs about INR 2,50,000/- for the tool and the activity, then
ROSI = [{(0.8*25,00,000) – 2,50,000}/ 2,50,000] *100% = 700%
By this calculation, it can be seen that Source code review is a cost-effective solution.
We can see that ROSI calculation is typically based on three variables:
In case the cost of the solution is easier to predict (provided all indirect costs are considered), then the two other variables are estimations which makes the ROSI more approximate.
It is essential to understand that this is a continuous process and needs to be carried out on an ongoing basis to improve your security strategy and help in implementing the Smart Security Plan (SSP) for your start-up.
To Sum Up
Sumeru's security advisory works with the Start-ups/CISO's and helps -
In part II of the security advisory series under 'Secure Your Start-Ups,' I will discuss outsourcing (vCISO) VS. in-house CISO advisory in detail. Stay tuned!
Written by:
Chidhanandham Arunachalam, Chief Program Officer at Sumeru Solutions. A passionate entrepreneurial leader & unshakable optimist dedicated to helping companies achieve remarkable results with great technology solutions.
This article is the seventh of our series on 'Secure Your Start-ups'. To get updated about the remaining articles of the series, please follow #sumerusecureyourstartup