It’s hard to measure the ROI of preventative measures.
When business leaders make decisions, they tend to think in terms of ROI. How will a given strategy, new hire, acquisition, or asset help to drive up profits over the short, medium, or long term? If there’s no clear pathway to new profits, then the money should probably be spent elsewhere.
That’s a great approach if you’re investing in a new marketing campaign or better distribution infrastructure. But when it comes to cybersecurity, things aren’t quite so clear cut. After all, cybersecurity costs are vividly apparent: the CISO and their team, the technology they insist on investing in, and even the potential productivity losses as workers across the organization sit through training webinars or wrestle with new verification and authentication protocols.
Viewed from a profit-seeking perspective, such costs are problematic. After all, your organization’s cybersecurity apparatus isn’t likely to drive up sales or enable you to charge customers more for any given product. For many business leaders, it’s hard to see what positive impact infosec investments bring — and thus hard to justify sustaining, let alone increasing, security spending.
The key is to view cybersecurity investments as akin to smoke detectors and household insurance policies. If you’re lucky, your house will never catch alight, and you’ll never see any return on these investments. But if the worst happens and someone drops a match, you’ll be better off having invested in the things you need to reduce the risk of a catastrophic blaze, and limit your exposure to major damage.
The reality, after all, is that the ROI on cybersecurity investments lies in what doesn’t happen, and in the costs you don’t incur. If you’re making smart investments in infosec, then you’re much less likely to fall victim to data breaches, ransomware attacks, and other potentially catastrophic cyberattacks and security failures.
If you do get hit by an attack, meanwhile, you’re much more likely to have been able to sequester your most precious data behind additional layers of security, ensuring that even if hackers penetrate your network, they won’t inflict significant damage to your operations, your brand, or your customers.
Of course, the costs of cybersecurity are complicated by the fact that CISOs aren’t involved in making every decision at every level of the organization. Often, individual departments or business units will make their own spending plans — say, on a new bit of accounting software — and will then be understandably disgruntled when they learn there are additional costs associated with securing their new tools and ensuring that they don’t create vulnerabilities for the organization.
From time to time, such conflicts are unavoidable. But it helps if both CISOs and other business leaders come to the table with a clear understanding of the real nature of cybersecurity investments. The right question to ask isn’t “How much will this cost?” or “What will the ROI on this investment be?” — it’s “What’s the worst that could happen if we don’t make this investment?”
The cost of cyberattacks is spiraling upwards, so business leaders need to ensure they understand the value of being protected against catastrophic data losses or multimillion-dollar ransomware attacks. That might not be easy to express in terms of ROI, but it’s a vital insight for today’s enterprises.