Security might be the single business area where calculating the return on investment is the toughest. Not because it’s impossible but because the data points related to the result of a good security investment are usually the same data points as those related to an unnecessary investment.
For instance, if you run a store where you have a security guard standing out front and you have no thefts over the course of a month, does that mean the security guard is working or that you don’t need a security guard?
In a recent ASIS webinar, Lean Six Sigma Black Belt and General Manager of Sign In Solutions North America, John Dillard, talked about how security professionals can calculate and communicate the benefits of a solution or project to other parts of the organization.
Why is it harder to calculate return on investment for security professionals?
Especially in times of financial unrest, every part of a business is asked to describe how their expenses impact the business, and security is no different. The problem for security professionals is that the calculations we need to perform to describe how a change is adding a benefit quickly and properly become very complicated.
ROI = (gain from investment - cost of investment) / cost of investment
This calculation is used by almost everyone from sales and marketing to finance when they calculate how an action benefits the company. And this calculation is easy when it comes to positive results like that of a sales investment. For instance, if the investment is hiring a new salesperson, the calculation would look like this:
ROI = (number of sales by new sales person - cost of hiring and retaining said salesperson) / cost of hiring and retaining said salesperson
The number of sales is a positive result that’s easy to track, but as security professionals, we often deal with negative results or, to put it differently, the lack of results.
If we take the same approach to a security guard, the calculation quickly becomes a lot more abstract. Because we have to ask ourselves, what is the gain from the investment? Is it the number of items not stolen from our store? Or is it the number of days we’ve gone without a violent incident in the workplace?
Because security-related issues are hard to detect, we don’t always know what’s being prevented, and that makes proving the ROI of our investments a lot harder.
But that doesn’t change the fact that we still need to make the same calculations, and we still need to prove the benefits of our investments.
So, how do we do that?
To calculate ROI or to calculate ROSI
One of the ways security professionals can prove the benefit of their actions and investments is the ROSI calculation (Return Of Security Investment). This calculation works much like the ROI calculation, but instead of focusing on the direct or indirect financial gains related to something, it hones in on the monetary loss reduction.
The ROSI calculation looks like this:
ROSI = (Monetary loss reduction - cost of investment) / cost of investment
And while this might be a step in the right direction, we will still often face the problem of having to calculate something we don’t have data points for. While you might have access to the data points needed if we’re talking about theft, the case is different if it comes to violent episodes in the workplace or data breaches.
In those cases, you would need to forecast things like SLE (single loss expectancy), ARO (annual rate of occurrence), and ALE (annual loss expectancy) to make up for the missing data points.
For instance, if we’re talking about investing in a compliance system, you would need to find out how much it would cost if your organization fails to comply with a regulation (SLE), how often a potential fine can be doled out (ARO), and how much of an expense that would be over a year (ALE).
Using financial analysis to create a business case for better security
Another challenge we face as security professionals is that most of us aren’t trained in the vocabulary used by other parts of the business when arguing the need for security investment, and on top of that, businesses tend to make decisions based on short-term thinking, whereas security operations tend to be a long term project.
What this means is that we, as security professionals, need to better communicate the security benefits of our projects and investments in a way that the rest of the organization understands. And that’s where John Dillard’s benefit calculation framework comes in.
The framework is split into four sections which handle different types of benefits that each tie into the way different departments think about benefits.
- Direct benefit: Cash benefit
- Indirect: benefit: Optimized operational procedures
- Risk reduction: lowers the chance of a risk
- Revenue generation: how does this affect sales/marketing
Direct benefit
Direct benefits are usually very easy to find, explain, and calculate. However, they’re often also the least important and the least useful for security professionals.
Usual examples of direct benefits for security are things like replacing an old system with a cheaper one, replacing your check-in staff with sign in kiosks, installing security cameras instead of having security guards physically walk the halls, etc.
Indirect benefits
Indirect benefits usually won’t come out of cash, as they result from a new system or a process allowing employees to do more valuable things.
For instance, in the example of a direct benefit where adding a sign in kiosks would reduce the number of staff, that same scenario could be positioned as an indirect benefit if you repurposed that staff for more important tasks instead of reducing staff. In this case, you won’t be reducing your budget, but you will impact the productivity coming from the budget you already spend.
Usual examples of indirect benefits for security are reducing errors in a process which will save labor hours for staff, or giving staff time for more important tasks by automating simpler, time-consuming tasks.
Enterprise-level organizations can derive immense value from all of this, with benefits that go beyond just security. Indirect advantages serve as a compelling persuasion tool for operations leaders, making it an effective approach to convince them.
At the same time, because indirect benefits aren’t tied directly to cash, it’s often not the best way to persuade accounting leadership.
Risk reduction
Focusing on risk reduction is all about probabilities, which means it works very well for low-probability events where you usually wouldn’t have many data points to use in your calculations.
The usual examples include reducing the probability of theft, reducing the likelihood of compliance violations, and reducing the financial cost of a system breach when buying cyber insurance.
Focusing on risk reduction is very compelling to finance and risk professionals as it quantifies narratives that are otherwise fear-driven because it focuses on the monetary expense related to a systems breach, for instance, instead of the technical or personal issues related to the breach.
This also means that it requires a lot of estimation and external data and will often feel “unreal” to employees who are untrained in risk analysis.
Revenue generation
Revenue generation as a way to argue security initiatives will be very dependent on your organization’s area of business, but that doesn’t mean it should be discounted when it comes to calculating the benefits of security investments.
It’s also one of the most difficult parts for us as security professionals because we’re rarely in the same room as the sales team, but with that said, getting sales and marketing on board with a certificate, for instance, is one of the best ways to secure a budget for something.
Examples of addressing revenue generation when describing the benefits of security investments are things like using security certificates (SOC II for instance) in sales proposals, using security standards to market your product or service, or even meeting the minimum standards to participate in certain supply chains.
This approach is often very compelling to sales and marketing and, at the same time, is easy to measure, especially with digital solutions that allow marketing or sales to filter closed deals where a certain thing was mentioned.
However, this approach is best for products and services where customers prioritize security as the approach is very market-specific, and even then, security measures are rarely the core justification for spending.
Calculating the ROI of your security investments
When you understand the different aspects of benefits when it comes to investing in security, the process of coming up with a calculation that sums up all the benefits is a lot easier.
The process you follow to get to that number should look like this:
- Calculate cost
- Identify obvious direct benefits
- Analyze processes and people to determine indirect benefits
- Assess the probability and cost of incidents to determine risk reduction
- Assess capacity, win chance, and average price to determine revenue increase
Afterward, you sum the numbers from the four benefits and use the total in the ROI calculation we discussed at the beginning of this article: ROI = (Total of benefits - cost) / cost.
We know that while this might sound simple enough, it usually ends up being more convoluted than we, as security professionals, would like. So, to help you get started, we’ve made a template for you to download
