Measuring your ROI on Splunk

At our last executive round-table, a topic of discussion revolved around effective ways to measure the return of investment (ROI) of Cybersecurity tools such as Splunk. The point being (at least for private sector) that their respective Chief Financial Officers (CFO) and Board members were all concerned about the required up-front investment and ongoing costs required for cybersecurity, with no tangible metrics to measure against. Some counter points to this concern were that the ROI is usually associated with a ‘what if’ cost saved in the event of a cyber incident, which can be very costly and damaging. The Australian Cyber Security Centre (ACSC) reported that in the 2022-23 financial year, the average cost of cybercrime for small business increased to $46,000, and for medium businesses, it increased to $97,000. This also doesn't factor in other damages such as reputational damage or loss of exiting or new customers.

An easy win with Splunk

With Splunk, you can run a search that associates the average cost of a cyber incident to the amount of true positive incidents detected and mitigated. This kind of report helps translate to the executive team the costs or damages saved through the work and effort of the security team. The more true positive detections found the better, thus helping fuel that request for more budget to further expand and enhance your security tools.

An example of such search leveraging the Splunk Enterprise Security Notable macro:

`notable`
| search status_label="True Positive - Closed"
| stats count(event_id) as event_id_count
| eval event_cost = 50000
| eval roi = event_id_count * event_cost
| table roi        

Splunk SOAR

Splunk SOAR natively has a dashboard that measures and displays ROI based off a calculation for ‘time saved’ over the average cost of 1 Full-Time Employee (FTE). This is a simple ROI measurement tool that can be configured to use your organisation's average cost for better accuracy. For automation in general, more time can be saved in the automation of small tasks, that in the micro stand-alone context, might not appear or equate to much, but scaled out over the macro to a team, and a larger time horizon adds up to considerable time saved. For example, the copying and pasting of URLs into 1 or more reputation checking service: This manual ‘swivel chair’ type action seems small however that 5-10 second action quickly adds up to hours when done several time a day by several analysts over a 1 month period.

Using Splunk for more than Security

Another method of measuring your ROI is to evaluate what your Splunk is being used for: is it just being used as a SIEM?

Splunk is a data platform and is designed to be used across all Information Technology sectors. If you're not already doing it, consider onboarding ITOps data or other business data to garner value out of the platform so its not just a security tool.

Of course the above are only three quick examples, however if you're in need of further assistance of measuring your ROI or wish to expand your Splunk use cases we’re happy to help!

Legal Disclaimer:

The information provided in this post regarding Splunk is based on Hyperion 3's own experiences and research. It reflects our opinions and is not officially endorsed by or affiliated with Splunk. This content is intended for informational purposes only and does not constitute official Splunk best practices or recommendations. For official guidance, please refer to Splunk’s documentation or consult with a Splunk representative.