Comparing Security Return on Investment (ROI) - Without Maths*

Anyone who has operated at the CISO level will know there is a finite budget, which is small. There are constantly changing threats and an ever-growing market of solutions. Navigating the landscape requires a keen sense of prioritisation, a profound understanding of risk, and the ability to communicate value to leadership. It is not just about selecting the right technologies but about getting the best bang for your limited amount of bucks. A CISO must understand whether what they purchase will give a good return on the initial (AND ongoing) investment or is just an unnecessary drain on their finite resources - or worse still security by box ticking.

When assessing return on investment (ROI), it may be challenging to compare options as there will likely be several ways to peel a banana (skinning cats is mean!). A CISO may need to compare a banana with an apple (or a pear with a bunch of grapes) to determine which solution gives the best overall ROI. That may sound impossible but it's not as hard as it may first seem. In this article, we shall work through a method of comparing the ROI of different solutions. And for ease we shall look at a common security issue - Phishing.

Defining the Security Problem

Before looking for solutions, CISOs must first define the problem they are trying to solve. Too often, organisations are vendor-led. That is to say, an IT Manager attends a conference and watches a presentation in which a vendor presents a problem. Lo and behold, the vendor then presents a demo of how their solution can solve that problem. That is not to say the vendor's solution does not solve that particular problem - but it does not mean the solution is the only way to solve the CISO's issue. I have sat through so many sales pitches in which a vendor has presented a problem and presented a solution, only to find, with some cursory research, that the problem could be 100% mitigated by turning off an OS feature that was never being used.

So before organising any vendor demo or Proof of Concept, ask yourself two things:

• What is the threat?
• What is the vulnerability?

Let's look at these two questions through the lens of Phishing.

The threat is a scammer or hacker sending deceptive emails or messages, trying to trick employees into doing something, like giving away a password or clicking on a bad link.

The vulnerability is that humans can be tricked or fooled. Maybe we are in a hurry, tired, not paying close attention, or just don't recognise the signs of a scam.

Once the CISO has identified a valid threat and vulnerability, it is time to ask whether the threat and vulnerability exist in their specific environment. The CISO should assess how often Phishing occurs and what is the worst-case scenario should a phishing attempt prove successful.

Let's answer the questions in turn. Humans (at least for now) are receiving emails/messages that can potentially contain social engineering techniques or bad links. The threat exists. Are the humans vulnerable to being tricked or fooled? Absolutely. Is this happening all the time. Absolutely. What is the worst-case scenario. A successful phishing attack could put us out of business.

Looking at the threat, this isn't something we can control. We can't simply ask the threat actors to go phish elsewhere and leave us alone. We also can't stop using communication channels that are accessible to those on the Internet - if we did, we would go out of business.

Looking at the vulnerability we are dealing with four distinct issues. The first is recognition of the signs of a phishing attempt. The second is humans being in a hurry. The third is humans being tired. The fourth is humans not paying [close] attention. Any single or combination of these issues could result in a successful phishing attack. We have 15 different combinations to deal with. I will not list them all, but I can tell you that, in only 1 of the 15 combinations, recognising a phishing email is the sole vulnerability. In seven combinations, recognising a phishing email is not a factor; in three combinations, it is one of three factors. To put this another way, in 93%* of scenarios, something other than recognising the phishing email contributes to a successful phishing attempt. That is to say, 9 out of 10 phishing attempts will be successful when employees are tired, in a hurry, or not concentrating - even if under normal circumstances the human would have recognised the phishing attempt. (*OK, a little bit of maths!)

So our problem is now more clearly defined. We have identified this is a human-centric problem, and we need to address the following issues:

• How do we remove the human vulnerabilities altogether, OR
• How do we improve our human's concentration AND/OR
• How do we prevent our humans from rushing AND/OR
• How do we reduce our human's levels of fatigue AND/OR
• How do we improve recognition of phishing attempts OR
• Shall we just do nothing?

These issues now form the basis for action...or, in the case of doing nothing, inaction.

What can the CISO influence? What can the CISO control?

Looking at the problem through the above questions, we can now determine what is in the CISO's power to control or influence. The CISO can certainly control doing nothing for as long as they have a job at least - but that may not be for long! What the CISO cannot realistically control is improving concentration, preventing people from rushing or reducing how tired people get. These three challenges are not in the CISO's control, and the CISO will have very little influence on such factors. Preventing CISO burnout is a challenge on its own! Improving recognition is still not something a CISO can control because any improvement in recognition will still require buy-in from each participant in the recognition improvement programme. That said improving recognition is something the CISO can undoubtedly influence. What a CISO is most able to control, however, is the implementation of a technical solution that removes the human-centric vulnerabilities altogether.

So, where does the CISO invest?

In considering the analysis of the last section, we now have a potential primary course of action and a fallback course of action. The primary course of action would be to find a solution that removes the human-centric vulnerabilities would provide the best security ROI. That is to say, investing in a technical solution would mean our humans do not need to recognise phishing emails at all, no matter the situation. Whether they are tired, in a rush or lacking in concentration, the solution will prevent the phishing attempt. The fallback solution to improve recognition of phishing attempts would not be ideal but, it would at least give a fighting chance to those overworked, exhausted, multi-tasking humans.

So ROI on a technical solution wins outright? err...not quite!

We went through a logical process, and the clear winner was that the technical solution would give the greatest security ROI (non-financially). It should now be a case of procuring said technical solution and configuring it pronto. The thing is, the decision-making logic in this article [deliberately] omits one key aspect of implementing any solution. The article omits any discussion on whether any investment is available for a solution. Anyone who has operated in an information security function knows all too well that there is not an infinite budget (until after you have suffered a major breach anyway). So why has this aspect been deliberately left out? Basically, because the decision-making logic for assessing ROI should first be based on a comprehensive understanding of the actual problem. Without this understanding, a CISO could go out to market and only assess a solution's ROI against how well it solves a fraction of the actual problem. If we go back to our phishing issue, we could find a solution that improves recognition of phishing attacks, but in reality, the overall ROI is pitifully low. That is to say, even if our humans are better at spotting deceptive emails, other factors like being in a hurry, fatigue, or distractions might still lead them to fall for an attack, reducing the overall effectiveness of this approach as the preferred solution. If a CISO invested in security tooling like this, they would be wasting their company's cash!

It is OK to Compare Apples with Bananas.

To compare the true ROI of different security solutions, CISOs need to think of the problem akin to comparing apples with bananas: both may be good for you, but not in the same way. CISOs need to better understand their challenges by breaking each issue down into its constituent parts. From there, figure out the actual vulnerabilities, then figure out which factors are most crucial in mitigating those vulnerabilities. Only then assess each solution against these criteria. That's how you get optimum security ROI!

If you are a security leader struggling to get to grips with calculating security ROI, get in touch for an initial consultation call to see how we can help you get the best bang for your buck!

About the Author:

Stephen Massey is the Managing Director of?Fox Red Risk, a boutique Cyber Security and?Data Protection?consultancy, which in addition to offering GDPR advisory services, provides vCISO services and operational resilience consultancy. Stephen has also authored two books on data protection: "Managing Subject Access Requests" and "The Ultimate GDPR Practitioner Guide". Both books are available on Amazon in paperback and Kindle eBook formats.