Is Cybersecurity an Investment or Expense?

December 14, 2016 Jennifer Geisler

Let’s Do the Numbers.

The debate has raged on for years. Old-school financial purists argue that security is not an investment that provides income, and therefore, is an expense. Forward-thinking security practitioners view cybersecurity purchases as investments that can generate significant cost savings to the bottom line of the business, and therefore should be measured by return on investment (ROI).

So who’s right? Is Ebenezer Scrooge being too rigid in defining value gain or is Charles Ponzi using wishful thinking and fuzzy math in calculating ROI?

My point of view is simple: whether earned or saved, money is money. As such, cybersecurity is definitely an investment. No one would argue that factory automation isn’t an investment, so why would anyone view security automation differently? After all, orchestrating workflows among various security tools eliminates manual processes and human-error-prone tasks. It frees IT staff to focus on adding value. Equally important, this type of automation can accelerate security response to quickly mitigate security risks and associated costs.

As a security professional, clearly my viewpoint is biased. If you really want an objective perspective on security ROI, talk to those who use security products and ask them for tangible metrics. IDC analysts Robert Ayoub and Matthew Marden recently interviewed seven ForeScout customers and came to their own positive conclusions about the business value of ForeScout. Here are some of the metrics they measured:

  • $ benefits per year per 1,000 devices on networks
  • ŸŸ
  • % of unknown devices detected
  • Ÿ
  • % increase in device compliance
  • Ÿ
  • % of fewer network-related security breaches
  • Ÿ
  • % increase in IT staff device and network security staff efficiency
  • ŸŸ
  • Months to break even
  • ŸŸ
  • Five-year ROI

You can review IDC’s results here. It’s also worth noting that this analysis didn’t attempt to calculate the astronomical costs that would accompany a major security breach, such as informing customers, legal/consultant costs, lost business opportunity or brand damage.

Financial analysts will likely argue over the semantics of security investment versus expense for years to come. However, they agree on one tried-and-true investment strategy: to get valuable insights, talk to customers.

The post Is Cybersecurity an Investment or Expense? appeared first on ForeScout.

Previous Article
The Truth Behind the Scope of the Endpoint Problem in the Enterprise
The Truth Behind the Scope of the Endpoint Problem in the Enterprise

Twitter: @SecurityMonahan The Evolution of the “Endpoint” Over the past few years, the perception of what a...

Next Article
Mirai, oh my!

Twitter: @darrell_kesti I’ll admit it. I am fascinated by the Mirai botnet, and have been paying close atte...

Webinar From Customer’s Perspective: Rapid Response to Security Threats.

Register today!