I hate to answer the title question with a question, but why do we buy security tools?  Sure, there are the obvious connections to improving our ability to protect the organization and to make our efforts more efficient. There are also needs driven by compliance, the desire to adopt a best practice, or even to mitigate an individual vulnerability. Despite this diversity, nearly all our reasoning is tied to reducing unnecessary risk exposure. Subsequently, the method for monitoring and optimizing return-on-investment (ROI) for our most beloved security technologies should be centered around risk-reduction (current and possible). Yet, we still frequently encounter a KPI driven approach that involved incident volume and response trends to determine the “value” of a given technology. So, how can we continuously evaluate ROI, why is it important, and what enlightenment can security teams expect from consciously tracking it?

I’m a big-time sports fan and consistently wonder what the parallels between cyber performance and sports management are (said no one ever). If you break down the composition of a sports team, it’s positional players and even archetypes within positions. The team manager’s job is to find the most cost-efficient, high-performance, and cohesive combination of assets possible to win games. The makeup of a sports team reminds me of cyber portfolios, where security leaders are trying to land on an ideal combination of capabilities that reduces alert and incident volume? Wait, that doesn’t sound right. Therein lies not only the first breakdown in the comparison, but a fundamental misstep in how we evaluate cyber-ROI.

You can make an argument for a “win” being the prevention of a single incident but given how volatile and dynamic the threat environment is, that seems like a fool’s errand. Every week we’re hearing about new flavors of certain incident types, so it seems more logical to focus on reducing the likelihood of a scenario category and thus reducing organizational risk exposure… that’s a win. To adopt this approach, we must look at the totality of the game, not performance within an individual function (only looking at pitching in baseball, for example), which requires a unified approach methodology to modeling and evaluating not just security tools, but security controls within enterprise technologies as well. By mapping each component of your digital stack to a position and understanding its role in the game, we can begin to model its role in risk-reduction throughout the scenario timeline. That role can vary in size and utility, which is an important element to consider when evaluating ROI. A point solution such as data loss prevention (DLP) has one stage to show value (data loss – surprise surprise), whereas a utility player such as endpoint detection and response (EDR) has several opportunities to show value across multiple stages. The true risk-reduction realization comes when you can simulate - what would this scenario risk look like without this technology or individual control? This requires the ability to sandbox the entire game and assess the dollars knocked off or added to inherent risk with each simulation.

Why is it important though? I’m not an economist, but I do have a Bloomberg subscription, and I don’t think it’s a stretch to say that the economic outlook right now is… debated? We’re also seeing several sectors pivot from growth to profit mode, which is creating a headwind for cyber spend (mainly opex right now, but with increased scrutiny in capex). This is forcing more inquiry regarding what security teams have spent and what value they got in return. Putting that reality aside for a second though, a value-driven approach to cybersecurity is also exactly what the industry needs. For far too long we have gone from incident to incident, threat to threat, vector to vector, and trend to trend adding new capability and technologies along the way without pause to ask the very simple question – what am I getting from these investments? Back to my earlier point regarding most investment rationale being intrinsically connected to risk reduction; each investment’s top-line reduction in inherent risk is the primary value stat we should care about within the game. Think of it as cyber’s security’s business-aligned version of wins above replacement (WAR). Forcing a value centric approach not only makes us feel better about our investments, but it also yields tighter alignment to core business functions objectives and provides a method for moving cyber security beyond just being a cost center.

So, cyber-ROI – it’s evaluable and important, but what tactical insight could a security team expect from it? The security space currently has no shortage of tools & vendors, which has produced a common but not unified security operating operationenvironment that consists of 70-80 security technologies with very little clarity or clarity or prioritizationunderstanding of how effective it is not just in isolation but in the aggregate as well. On both sides of an investment, being armed with ROI & sandboxed performance data would yield enlightenment in two areas:

  1. What type of risk-reduction should I expect from the introduction of a given technology? Being able to slice through differentiator and marketing fluff to understand the real value an investment would yield in the context of your environment.
  2. Where should I dedicate more resources? Capability underutilization is real and confusing without the ability to understand individual interactions within a broader risk environment. Sandboxing backed by configuration and policy data points also takes you from prioritization to optimization, which is an important indicator of program maturity.

Shifting to this proactive and thoughtful value-centric approach is what Pellonium Risk Intelligence is enabling security leaders and teams to do. To learn more, visit us at Pellonium.