Investments in Cybersecurity: How to Maximize ROI
When it comes to investments in cybersecurity, the focus is on initiatives that provide maximum protection at minimal costs. However, calculating such returns is often anything but simple.
CISOs often face the challenge of securing adequate resources to protect the company. They often find themselves in a difficult position when trying to stretch resources without compromising the business.
To secure more investments in the future, it is crucial to maximize the benefits of your cybersecurity initiatives. Here are seven ways to improve the ROI of your cybersecurity efforts.
Calculating the Financial Impact of Cyber Threats
“The ROI of cybersecurity cannot simply be measured based on cost savings, efficiency, or revenue growth,” explains Joyce Harkness, Director at the technology research and advisory firm ISG. “Cybersecurity ensures that the use of technology is less risky,” she notes. “Precise metrics allow companies to make informed decisions, identify trends, and compare themselves with the competition. This enables strategic adjustments that lead to better outcomes.”
Harkness recommends an approach to quantifying cyber risk (CRQ) because it measures risk in financial terms that are easily understandable and relatable to executives. “CRQ is attractive to executives who want to manage cybersecurity investments using clear, non-technical metrics accessible to businesses,” adds the ISG expert. “In today’s rapidly changing cybersecurity environment, CRQ measurements help refine and improve strategies.” This ensures that limited resources can be effectively utilized.
Harkness adds that a CRQ approach also leads to stronger security initiatives while increasing returns.
Conducting Scenario-Based Risk Assessments
Or Klier, Partner and Managing Director at the consulting firm Boston Consulting Group, suggests using quantitative, scenario-based risk assessments to optimize cybersecurity initiatives within the organization. “This approach, conducted at various levels within the organization, enables the entire company to optimize its portfolio of cybersecurity initiatives,” the expert explains. “It ensures that every dollar spent directly contributes to measurable risk reduction.”
According to Vanessa Lyon, Managing Director at Boston Consulting Group, a scenario-based risk assessment enhances effectiveness in three ways: “It identifies and quantifies the financial impact of risks and clarifies which initiatives bring the most benefit,” she explains.
By linking cybersecurity initiatives to business outcomes, the approach also ensures that decisions are risk-based rather than solely driven by compliance requirements. “Combining detailed evaluations of business-critical assets with enterprise-wide strategies creates a balanced approach that covers both specific and systemic risks,” Lyon adds.
Pooling Security Resources with Industry Partners
Utilize networks to exchange threat information within your industry to proactively defend against new threats, recommends Steve Tcherchian, CISO of security technology company XYPRO.com.
“By pooling resources and insights, companies can mitigate risks more cost-effectively than if they tackle them in isolation. For example, financial institutions can exchange threat information to collectively strengthen their defense measures,” explains the security expert.
Sharing security information and resources allows for early warning of specific threats and attacks targeting your industry, Tcherchian continues. “This way, everyone in the industry can prepare defense measures before an attack occurs. This collaborative approach reduces duplicate efforts and spreads the costs of information across the entire industry network.”
To get started, Tcherchian advises joining an industry-specific information exchange group recommended by organizations like the National Council of ISACs or simply forming a private consortium with trusted colleagues. “Integrate the shared information into your SIEM or threat detection systems for automatic alerts and responses, and share your efforts,” suggests the CISO.
Let AI Handle Routine Tasks
Using generative AI to manage repetitive operational security tasks is a critical factor in increasing cybersecurity ROI, according to Nikhil Sarnot, Managing Director at Accenture. “Whether it’s automating intake and review, conducting code reviews for vulnerabilities, or monitoring compliance, next-generation AI delivers speed, consistency, and scalability,” he notes.
Based on current proof of concepts and an analysis of internal and external personnel costs, Sarnot estimates that companies can achieve sustainable cost savings of 30 to 50 percent with AI, depending on the level of current investments in cybersecurity. At the same time, the scope and depth of security activities can be exponentially increased.
Generative AI enables cybersecurity experts to outsource routine, time-consuming tasks while maintaining accuracy, Sarnot explains. Unlike traditional AI/ML techniques limited by the need for structured data, GenAI can effectively integrate various cybersecurity signals and process abstract or unstructured data.
This allows cybersecurity experts to focus on higher-value, novel tasks such as strategic cybersecurity risk management and threat modeling. “Ultimately, it’s about scaling intelligently, improving efficiency, and reducing burnout from manual workflows,” emphasizes the Accenture expert.
Sarnot recommends starting small and automating extensive, resource-intensive workflows currently supported by humans using runbooks. “Take an appropriate Retrieval-Augmented Generation (RAG) model to ensure the base model always uses the most relevant organizational context,” he advises. “Then gradually build trust by expanding into more complex tasks, such as analyzing code for security and privacy risks.”
Successful deployment depends on seamlessly integrating AI into existing tools and workflows while maintaining oversight through a robust human-AI collaboration model, Sarnot summarizes. However, it is important to handle the technology with care. “While its potential is immense, security experts are still in the early stages of understanding and leveraging AI.”
Integrate a FinOps Engineer into Your Team
According to Richard Marcus, CISO at AuditBoard, FinOps engineers in areas with the highest expenses can realize the easiest cost optimization opportunities. “They are experts in license optimization, vendor negotiations, rationalization, and deduplication in your solutions portfolio.”
For example, a FinOps engineer can reduce costs by migrating to service and resource types that are most cost-effective and overall better suited to specific protection requirements. Marcus notes that most security costs are based on infrastructure footprint as a scaling factor.
“By right-sizing the infrastructure, you can not only save on infrastructure costs themselves but also on all security solutions required to protect the infrastructure,” emphasizes the AuditBoard CISO. Additionally, FinOps can ensure that maximum value is extracted from various vendor solutions, he adds.
Invest in Automation
Automation is a proven way to improve cybersecurity ROI, both in terms of increased security and cost savings in the end. Jon Taylor, Director and Security Chief at SASE and SD-WAN technology provider Versa Networks, is a staunch advocate of AIOps. This method uses artificial intelligence and machine learning to improve and automate numerous IT operations, including security.
AIOps, for example, can radically improve the performance of security operations by prioritizing critical incidents and presenting the most relevant cause as the starting point for each investigation, Taylor explains. “By integrating into infrastructure and workflows, you could measure response to incidents in seconds and minutes instead of hours and days.”
Be Proactive
Continuous Threat Exposure Management (CTEM), a term coined by Gartner, prioritizes and mitigates threats. “It is a proactive approach to cybersecurity that continuously identifies, prioritizes, and mitigates potential threats, aligning security efforts with business objectives,” explains Tia Hopkins, Chief Cyber Resilience Officer and Field CTO at the Managed Detection and Response company eSentire.
“CTEM leverages data-driven insights and continuous validation to optimize risk mitigation and maximize the effectiveness of security investments,” the expert adds.
CTEM aligns investments in corporate security with measurable results by continuously assessing and mitigating potential threats across the enterprise. “When properly implemented, it also improves cross-departmental communication and promotes prioritization by helping companies focus their resources on their most critical risks,” Hopkins adds.
The CTEM implementation consists of five phases: scoping, discovery, prioritization, validation, and mobilization.
“Start by defining the scope to set objectives and identify assets, threats, and business context,” advises Hopkins. “Then proceed with discovery to map out threats, vulnerabilities, and attack paths across the enterprise.”
The eSentire expert recommends using prioritization to focus on the most critical risks using data-driven metrics. Validation should then be conducted to ensure the effectiveness of security controls and validate critical attack paths.
“And finally, use mobilization to integrate insights into actionable workflows, automate processes, and continuously improve the company’s security posture based on evolving threats,” notes Hopkins.
In conclusion, maximizing the return on investment in cybersecurity requires a strategic approach that combines financial analysis, risk assessment, collaboration, automation, and a proactive mindset. By following these strategies, organizations can enhance their cybersecurity efforts while optimizing costs and resources.
For further insights on cybersecurity budget management and avoiding common security pitfalls, refer to the recommended article.