Cost-Benefit Analysis and ROI

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's take a look at
00:00
cost-benefit and return on investment.
00:00
Now, these are certainly phrases that you
00:00
want to look for on the exam and in life.
00:00
We always want benefits that outweigh the cost.
00:00
When we talk about a cost benefit analysis,
00:00
this is heart and soul of risk management.
00:00
Because what we're trying to do is to gather
00:00
enough information and to analyze it,
00:00
and then put a control in
00:00
place that has greater benefits than costs.
00:00
It's that simple.
00:00
You can sum up cybersecurity just by that concept.
00:00
Now, of course, it's a little bit more
00:00
difficult when you're evaluating control,
00:00
you're having to determine the value of assets.
00:00
There are a lot of moving pieces here,
00:00
but when push comes to shove,
00:00
it's all about the cost-benefit analysis.
00:00
I want to implement a control that saves me money,
00:00
time, effort, compromise saves me many hours.
00:00
Whatever it is, how I weigh benefits is up to me.
00:00
Remember though, when we're talking about cost,
00:00
there are a million costs associated with security.
00:00
Performance is a big one and it very
00:00
frequently is a cost associated
00:00
with most security controls.
00:00
We're going to take a hit with performance.
00:00
Security slows things down.
00:00
Well, how much is okay to slow things down?
00:00
Ask the owner. Remember,
00:00
we talked about the risk owner and the data owner,
00:00
usually the same entities,
00:00
the risk owner and the data owner.
00:00
They're the ones who make
00:00
the determination of how much security is enough.
00:00
Remember, decisions go to the owner.
00:00
We are risk practitioners, we're consultants,
00:00
we advise, owners are the ones that make the decisions.
00:00
When we're talking about costs,
00:00
we think about performance,
00:00
we think about ease of use.
00:00
Users don't like change,
00:00
especially when security makes things harder for them.
00:00
If I have to go through three steps instead of two,
00:00
as a user, I'm complaining.
00:00
Now, that doesn't mean
00:00
all our decisions are made to keep users from
00:00
complaining and to give them
00:00
the easiest environment which they can work,
00:00
but what it does mean is that
00:00
a consideration and that's a definite costs.
00:00
Just like user acceptance
00:00
there are certain security controls
00:00
that we've put in place that
00:00
users may not want to submit to.
00:00
Certain types of biometrics,
00:00
for instance, for authentication.
00:00
Most people are not going to mind using
00:00
a thumbprint for biometrics scan to access a building,
00:00
but if you require maybe a retina scan,
00:00
users may not be willing to submit because
00:00
a retina scan can divulge
00:00
information about a user's health care,
00:00
whether they're diabetic or whether
00:00
they're pregnant or high blood pressure or other issues.
00:00
Just to get into a secured room,
00:00
I may not want to do that.
00:00
Those are some of the costs.
00:00
The benefits, remember,
00:00
the benefits don't come with profit,
00:00
but they come with reduction of loss and that's value.
00:00
As cybersecurity professionals,
00:00
we have to sell that value.
00:00
We have to help owners understand,
00:00
maybe there is some cost,
00:00
may be performance goes down a little bit,
00:00
but here's what we can save you.
00:00
We can save you in liability,
00:00
we can save you in customer confidence,
00:00
we can keep you from being out in the media with one
00:00
of those embarrassing press conferences,
00:00
we can increase transparency so we have
00:00
greater trust with our stakeholders,
00:00
employees can consider their environments
00:00
a safe one in which to work, same with customers.
00:00
There are a ton of benefits with security.
00:00
I'm guessing I don't have to sell
00:00
cybersecurity to most of you.
00:00
I'm guessing that you're in this field,
00:00
you understand the need for it.
00:00
But you would be surprised how
00:00
often we have to make this argument to
00:00
senior leadership because of
00:00
the fact that they're looking for
00:00
something tied to profit.
00:00
With cybersecurity, they see a lot of money
00:00
going out and they don't see that immediate result.
00:00
That's why would we manage our projects,
00:00
we have to base our projects on value delivery and we
00:00
have to have clearly stated
00:00
objectives tied to the business.
00:00
We have to measure to see if we meet those objectives,
00:00
and at the end we report and we can
00:00
demonstrate the value that we've delivered.
00:00
We have to be our own cheerleaders in cybersecurity.
00:00
Shouldn't be that way, but it is.
00:00
Remember, with cost-benefit analysis,
00:00
a lot of times those costs or
00:00
benefits are not necessarily dollars,
00:00
but they certainly can be.
00:00
Dollars speak volumes.
00:00
What often senior leadership is looking for,
00:00
and this usually is in dollars,
00:00
is a return on investment.
00:00
I put so much money out,
00:00
I want more coming back.
00:00
That's the expectation.
00:00
Hey, I paid for this new firewall,
00:00
I paid to upgrade my environment,
00:00
I made these changes,
00:00
when does it pay for itself?
00:00
When do I get to say,
00:00
that was a good investment?
00:00
It's not as clear, sometimes.
00:00
It's not necessarily okay,
00:00
we're at the $5,000 point,
00:00
so that $4,999 control has just paid for itself.
00:00
Return on investment is tricky, because again,
00:00
we're determining value based on
00:00
some of these intangibles.
00:00
What we do when we take these IT endeavors,
00:00
is we have to have information.
00:00
Before I begin a project to
00:00
enhance security in a particular environment,
00:00
or a migration to new software,
00:00
whatever the project is.
00:00
What I have to start with is understanding clearly
00:00
the organizational goals and
00:00
objectives that are behind this project.
00:00
Remember, projects selection is usually not my job,
00:00
that usually is a steering committee
00:00
and it should be that way.
00:00
Because remember, above security is governance.
00:00
I now realized there's security governance too but
00:00
organizational governance comes above security.
00:00
When your board of directors,
00:00
when you're steering committees,
00:00
when senior leaders undertake a project,
00:00
that project should be tied
00:00
to organizational goals and objectives.
00:00
They're the ones to ensure that the project they've
00:00
chosen is going to deliver value to the organization.
00:00
I want to know as much information as I
00:00
can on what that value should be.
00:00
Are we increasing confidence
00:00
with customers, with stakeholders?
00:00
Are we increasing product?
00:00
Are we increasing availability? What are we doing?
00:00
Again, everything goes back to
00:00
understanding the business and their objectives.
00:00
Then what I want to do when I'm
00:00
beginning my project and I'm collecting
00:00
information and I'm setting out my activities and
00:00
the deliverables I'm going to produce and the metrics for
00:00
the deliverables to make
00:00
sure they're meeting their objectives,
00:00
it goes right in tied to the organization.
00:00
We talk about critical success factors,
00:00
those success factors must
00:00
directly relate to the business.
00:00
I don't talk about less viruses that infect systems,
00:00
what I talk about is a reduction in
00:00
man hours lost due to malware.
00:00
Or I talk about a reduction in
00:00
data loss in the value of the data that we're protecting.
00:00
This course,
00:00
and many other courses that are out here today,
00:00
really focus on cybersecurity professionals
00:00
coming out of the basement and
00:00
focusing on the organization as a whole,
00:00
understanding our rightful place
00:00
>> within the organization.
00:00
>> We are not some disconnected body
00:00
floating out in outer space.
00:00
We are one of the pillars
00:00
that holds up the organization,
00:00
and we have to make sure that our design
00:00
and support does just that.
00:00
When we're talking about dollars and cents though,
00:00
to calculate a return on investment,
00:00
what you want to look at is, and again,
00:00
we tend to think about preventing loss or reducing loss.
00:00
I have a control that I think we need
00:00
to implement. Maybe it's a firewall.
00:00
What I want to look at is what
00:00
the loss is before implementing this control.
00:00
What made me say, "Hey,
00:00
I think we need a new firewall?"
00:00
For instance, are we seeing
00:00
malicious threats from the
00:00
outside being successful on the inside?
00:00
What's the impact of that?
00:00
How often is it happening?
00:00
What does it cost me? We're losing many hours due
00:00
to malicious threat from
00:00
the Internet or from external to the organization.
00:00
What is it we're losing?
00:00
Now, if I implement this control,
00:00
what can I predict we'll be
00:00
losing after the control was implemented.
00:00
Now again, anytime we're talking about risk,
00:00
we're talking events that have not happened yet.
00:00
I can't guarantee what the loss is going to
00:00
be after we implement this control.
00:00
But I can do my best to collect data from
00:00
multiple resources to use
00:00
this subject matter experts and
00:00
my team to look at historical data,
00:00
incident response report, I can do my
00:00
best to come up with
00:00
a value after implementing the control.
00:00
I look at how much I was losing
00:00
before I implement the firewall,
00:00
then what do I anticipate we'll still be
00:00
losing after implementing the firewall.
00:00
Again, rarely do you eliminate risks.
00:00
We can assume they're still going to be some loss.
00:00
Then we have to take out the cost of the firewall.
00:00
All of those, how much am I losing before?
00:00
A hundred thousand dollars.
00:00
How much will I be losing afterwards? Ten thousand.
00:00
That leaves me with $90,000,
00:00
but the firewall is going to cause 60.
00:00
What's my return on investment?
00:00
Thirty thousand dollars in reduced loss.
00:00
Also, when you're thinking
00:00
about the cost of the countermeasure,
00:00
a lot of items have
00:00
an upfront fee and then they have a recurring fee,
00:00
like for updates or continued support
00:00
or whatever that might be.
00:00
Make sure you include total cost of ownership,
00:00
TCO, when you're
00:00
talking about the cost of the countermeasure.
00:00
You could hear that referred to as the cost of
00:00
the countermeasure or the cost of the control.
00:00
But again, TCO, total cost of ownership.
00:00
I may have to pay a very small amount upfront,
00:00
but then if I have to pay a monthly subscription fee,
00:00
or yearly subscription fee,
00:00
or there's a maintenance fee,
00:00
or whatever that may be,
00:00
that has to be factored into the cost,
00:00
that's a really important idea as well.
00:00
I'm looking for a positive return on investment.
00:00
This tends to be more lot to dollars and cents,
00:00
where cost-benefit analysis can
00:00
be more subjective or qualitative in nature.
00:00
I'll also just point
00:00
out that a lot of times you hear ROI,
00:00
you might hear ROSI,
00:00
return on security investment.
00:00
That, of course, just specifies
00:00
the investment in relation to security controls.
Up Next