All organizations are required to carefully manage information security to survive in an era of complex threats and repeatedly large security breaches for all types of organizations, for instance, T-Mobile, The Swedish Transport Agency, and LinkedIn. But how does your organization know how secure is secure enough? How much should we spend on security?
In an increasingly digitalized business world and with a sharp increase in cybersecurity spending across the board, ensuring confidentiality, integrity, and availability for your organization’s information and IT systems is, in many cases, becoming a major issue not only for CIOs and CISOs but for the entire C-suite. It is a complex challenge to strike the correct balance between, on the one hand, security and, on the other, sound investments and resource allocation.
Investments and initiatives within cybersecurity and information security should be proactive, ensuring the possibility of being responsive and optimise security spending. Through the introduction of different types of security measures, we decrease our exposure and avoid disturbances and even severe incidents and attacks with tangible financial impact. These measures could, for example, include security audits, vulnerability assessments, employee training, regular software patching, and so on.
While these investments are crucial for minimizing risk, they all have a cost associated with them. With the inherent proactive nature of these types of security investments, determining how much to invest is particularly difficult, as the benefits or Return on Investment (ROI) may be challenging to track and quantify with traditional monetary metrics, as you would, for example, for advertisement spend.
This article explores the dilemma of security investment, highlighting the need for a shift to a risk-based mindset on all levels and outcome-based performance metrics on proactive security measures to enable prioritization of initiatives and proactive resource allocation.
Deciding how much to invest in security will often begin with a fundamental discussion of “How much should we spend?” or simply become the result of how much is left in the budget. However, how does an organization ensure this is the right or appropriate amount to invest? In security, there is always something more that could be done, one more measure that could be taken to avoid incidents or attacks.
No one can fully secure themselves from every threat, so to make a conscious decision, every organization that is not limited by regulatory constraints should instead focus on the question, “How secure can we be? What risks can we accept?” With this mindset, an organization will be equipped with a straightforward way to communicate and discuss what an initiative implies for the risk level accepted and, additionally, what cost is associated with reaching a certain level of protection.
Outcome-based performance metrics on proactive security measures
While a risk-based mindset is important and a prerequisite, it is not enough to make informed decisions. Organizations need hard metrics that can be assessed and compared, and the size of an investment is not an indicator of IT protection. The challenge lies in the fact that not all investments of the same size result in the same levels of protection. This discrepancy stems from factors such as the effectiveness of the chosen security solutions, the organization’s unique threat landscape, and its overall security level.
To bridge this gap, organizations should use outcome-based performance metrics for evaluating security investments and measures. Instead of using the size of investments as an indicator of security, organizations should use metrics that focus on measurable protection level outcomes. These metrics provide a better overview of the actual impact of security initiatives and investments. By analyzing how these metrics change with each proposed investment or configuration, organizations can objectively discuss and determine acceptable levels of security and balance that with the associated cost.
Examples of performance metrics
Time to resolve
Definition: Time to resolve is the average duration it takes to resolve a cybersecurity incident or breach from when it is detected or reported.
Purpose: This metric evaluates the organization’s ability to not only respond quickly but also to effectively contain and eliminate the threat. A shorter time to resolve implies a more effective incident handling process.
Average patching frequency
Definition: How often an organization applies security patches and updates to its systems and software on average in terms of a time interval, such as days or weeks.
Purpose: The metric reflects the organization’s commitment to keeping its software and systems up-to-date with the latest security patches. A higher patching frequency indicates a proactive approach to addressing known vulnerabilities and reducing the attack surface.
For an organization to assess the result of an outcome-based metric and use this in a decision, it is necessary to adapt and analyze this in relation to the specific organization. To construct and adapt a metric, an organization can follow these steps:
1. Baseline Assessment
Clearly define metrics important to the organization and conduct a baseline assessment based on historical data. By gathering this data, it will serve as a benchmark against which the potential impact of the investment can be measured.
2. Estimating the Change
Construct an estimate of the potential positive effect that could be achieved if the investment, initiative, or configuration change were to be made. This could, for instance, include the use of suppliers’ customers as benchmarks to assess what benefit could be achieved.
3. Evaluation and Informed Decision-Making
Evaluate the Return on Investment (ROI) of the proposed security investment by comparing the projected ROI in terms of actual protection levels achieved against the organization’s risk appetite expressed in hard metrics and the investment cost.
It is important to note that one investment in a security measure may have a potential positive impact on more than one security metric.
Example: Illustrating the Concept with Time to Respond (TTR)
A powerful example of an outcome-based security performance metric is the “Time to Respond” (TTR). TTR measures the speed at which an organization can detect and mitigate a cyber threat once it is identified. Organizations with shorter TTRs are better equipped to minimize the potential damage of a breach. By utilizing TTR as a metric, organizations can quantify the effectiveness of their incident response strategies and identify areas for improvement.
This concrete data allows for informed decision-making that goes beyond abstract risk assessments. The metric data can also be leveraged when considering an investment that could potentially reduce the TTR significantly but would imply a substantial cost. Comparing these aspects can give organizations a powerful tool to make informed and fact-based decisions.
Optimizing Budget for Maximum Protection
Consider a scenario where two different organizations allocate the same budget to cybersecurity. While this might seem like an equal investment, the actual protection level could significantly differ based on the configuration of security resources and initiatives. Outcome-based metrics as discussed provide a framework for organizations to optimize the security budget according to their risk appetite and support the prioritization of resources that is inevitable. By identifying the most effective security measures for their unique threat landscape, organizations can maximize their protection levels within the same budget constraints.
All organizations and cybersecurity responsible roles should establish a risk-based mindset when assessing investments and to be secure enough requires a focus on the outcome. With a risk-based mindset in the process of deciding how much investment to make in cybersecurity and information security, the organization is well-equipped to achieve constructive discussion with a common basis. To this, by implementing the usage of outcome-based metrics the decision will be further assisted with facts that are comparable both internally and externally.
With this management and cybersecurity responsible can make sound decisions on how much to invest, while at the same time equipping them with an opportunity to understand what a decision of not investing entails for the level of threat. Conclusively this would ensure organizations that the investments have an advantageous impact on the company’s level of protection.
Where are you in your path regarding strategies for information security and cybersecurity? We offer support in your specific journey, and we invite you to discuss this further with us.