What is the value of education, or more technology? These questions at times occupy the minds of people especially when they are getting ready to make an investment of time or money in one of the two. In regards to security, education or technology based solutions can potentially save organizations a significant amount of money.

Defining ROI in security

The strength of an investment is normally measured by the certainty and size of return it will provide. The proposals with the most profitability potential usually win; which is what makes cybersecurity proposals such a hard-won investment. When pitching for an investment almost every department will emphasize the urgency of their need for funds, and often they can prove profitability.

However, in security an investment does not provide more revenue normally, but it does provide savings during the inevitable cyber attack. In the security discipline we usually call this loss prevention, while in business this falls under the category of opportunity cost. When executives talk about opportunity cost, they are attempting to measure the value of one investment option against another one.

Executives need to know how much of a negative effect poor security can have on the bottom-line (net profit). Essentially, investment into cybersecurity is an investment in risk mitigation; increased revenue should not be the expectation. Instead preservation of capital and assets is what should be expected. With that understanding they can make a comparison of what may be needed to cover cybersecurity efforts. While the C-suite is often mentioned as a collective, when it comes to financial and information technology matters, decisions are influenced most by the CFO, CEO, and CIO. The best dichotomy to present to executives is the cost of insider incidents against the costs of proactive education and technology software.

Cost of insider incidents

The Ponemon Institute released a report in late 2016 that providing some alarming numbers about the costs on insider threats. According to that report the average cost of just one insider incident is $206,000. Throughout the course of a year the cost averaged out to be around $4.3 million. These numbers change depending on the size of the organization, with large enterprises paying out the most to resolve an insider incident at $7.8 million. Some of the indirect costs were calculated on estimations, the actual costs for an enterprise could be significantly higher.

The report also detailed a surprise about who was the largest contributor of these insider incidents. Most suspect either a malicious insider or credential theft victims. However, the most frequent perpetrator 68% of time was the negligent insider. This detail about who causes insider incidents lends support to the need for investment in security training and preventative technology.

Costs of proactive measures (training & technology)

The same report from the Ponemon Institute also was thoughtful enough to analyze the costs of proactive measures for large enterprises. For cybersecurity awareness training programs, large enterprises were spending roughly $4 million annually. This cost may seem high but is still $300,000 less than the average cost of a data breach, or $3.8 million less than the average cost of a breach for large enterprises. Given that insider threat is mainly driven by negligence, cybersecurity awareness training provides an excellent payback in savings for an organization.

Technology solutions provide an even greater payback than awareness training alone. When it comes to deterring insider threats, technology can prevent not just negligent insiders but also criminal insiders with malicious intents. According to the report, the particular technology category that provides the greatest savings is User Behavior Analytics (UBA), which for surveyed enterprises cost $3.2 million annually. In comparison to the cost of an average data breach, an enterprise saves $1.1 million; for large enterprises this is $4.6 million in savings.

Make the case

Executives want what's best for their companies, and if the proposal is framed in terms they understand they will make the investment for more cybersecurity. While high risk may equal high reward with some company investments, when it comes to security they are gambling with the company itself. Remember investment in security is about loss prevention, risk mitigation, and savings, not profitability. In finance there is a saying:

“a safe dollar is worth more than a risky one.”

Every dollar invested in cybersecurity is safer than money spent in high risk/high reward projects.