Maximizing Return on Your Cybersecurity Investments

An interesting question I’ve been asked throughout my career is how to calculate the return on a cybersecurity investment. For a vendor to be able to show their offering actually saves the client money over time is like grabbing the brass ring on your favorite carousel. This challenge isn’t limited to the vendor space, however. Security is often viewed as a cost center within an organization and many of us are constantly trying to justify the budget we’ve allocated to certain products or services, even if we’re only justifying them to ourselves. So when I’m trying to tackle the question of a return on investment (ROI), I try to simplify things down to what I think of as the “people, processes and technology triumvirate.”

The People, Processes and Technology Triumvirate

Image of a school bus to accompany reference to the children’s song, “Wheels on the Bus.”
School Bus” by George Hodan

People, processes and technology are the wheels on the bus that go round and round. If you’ll allow me to continue that metaphor, since everything’s attached to the same bus (hopefully), and each of these wheels is rate-limited by the others — you can’t add efficiency to one and make the bus go faster if the capability to go at that accelerated speed isn’t already present in the other wheels. Because of this, when changing the people, processes or technology in our environment, we can measure return by observing the impact on the two other wheels.

Let me illustrate this with a quick example from the security operations center. Level 1 SOC Analysts are primarily responsible for triage and collecting intelligence around an alert. In fact, it is through this process that they develop the expertise to know how to investigate a potential breach and become qualified to become Level 2 SOC Analysts. By deploying improved security analytics capabilities such as XDR that centralize collection of telemetry and provide high-fidelity detection with an automated root cause analysis, we are optimizing the process of collecting that information for Level 1 SOC analysts and arguably showing them what is relevant about the alert. So by improving technology, we’ve added optimizations to our people and processes, something I’ve often described as technology turning a Level 1 SOC Analyst into a Level 1.5 SOC Analyst.

Let’s Start to Quantify This Improvement!

Continuing this example, we would measure the improvement by multiplying the average cost of a Level 1 SOC Analyst by the gained process efficiency, using a workload metric such as the number of tickets the SOC is closing on a daily basis before and after deployment of the technology. However, rarely is a change so one-dimensional as to only require one of these metrics. Many XDR products have detection and prevention capabilities, so you may also choose to take a look at opex improvements such as a reduction in malware-related service desk tickets (when doing this, be sure to account for the lack of productivity on behalf of the victim as well as the service desk time).

Keep in mind that you’re offsetting all of this against cost, which includes not only maintenance, but also importantly, the deployment of technology. I’ve frequently found it takes about a year and a half to two years before you start realizing a positive ROI for many technologies because there’s so much up-front cost involved in initial deployment. For this reason, you want to try to future-proof your purchases, and that means not necessarily buying the thing you need now, but what you’ll wish you had in the future.

So When Is The Right Time to Invest in a New Technology?

In seeking to maximize your cybersecurity investments, it’s important to have an eye on where the market is going, with an understanding of where your organization is on the innovation curve. By the time most analyst firms start performing product evaluations, a technology has become pretty mainstream. That’s their business model. Depending on your budget and appetite for risk, you may determine that it makes sense to adopt a technology earlier to lock it in as a longer-term investment or because you don’t want to be behind the market by the time you get to contract renewal. My recommendation for most organizations is to invest in the next generation of a technology once you have the implicit market validation of a number of analyst firms talking about it, and possibly before you start seeing evaluations of the product category — or risk being seen as a laggard and having this new tech deployed by your eventual replacement.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store