Let’s Do the Numbers.
The debate has raged on for years. Old-school financial purists argue that security is not an investment that provides income, and therefore, is an expense. Forward-thinking security practitioners view cybersecurity purchases as investments that can generate significant cost savings to the bottom line of the business, and therefore should be measured by return on investment (ROI).
So who’s right? Is Ebenezer Scrooge being too rigid in defining value gain or is Charles Ponzi using wishful thinking and fuzzy math in calculating ROI?
My point of view is simple: whether earned or saved, money is money. As such, cybersecurity is definitely an investment. No one would argue that factory automation isn’t an investment, so why would anyone view security automation differently? After all, orchestrating workflows among various security tools eliminates manual processes and human-error-prone tasks. It frees IT staff to focus on adding value. Equally important, this type of automation can accelerate security response to quickly mitigate security risks and associated costs.
As a security professional, clearly my viewpoint is biased. If you really want an objective perspective on security ROI, talk to those who use security products and ask them for tangible metrics. IDC analysts Robert Ayoub and Matthew Marden recently interviewed seven ForeScout customers and came to their own positive conclusions about the business value of ForeScout. Here are some of the metrics they measured:
- $ benefits per year per 1,000 devices on networks
- % of unknown devices detected
- % increase in device compliance
- % of fewer network-related security breaches
- % increase in IT staff device and network security staff efficiency
- Months to break even
- Five-year ROI
You can review IDC’s results here. It’s also worth noting that this analysis didn’t attempt to calculate the astronomical costs that would accompany a major security breach, such as informing customers, legal/consultant costs, lost business opportunity or brand damage.
Financial analysts will likely argue over the semantics of security investment versus expense for years to come. However, they agree on one tried-and-true investment strategy: to get valuable insights, talk to customers.