Question: How do I report my security program's return on investment (ROI)?
John Ayers, Vice President of Product, Advanced Detection and Response, Optiv: Measuring ROI for any security program really starts by stating early and clearly what the desired outcome is that a company is looking to achieve out of said program. This obviously varies on a program-by-program and company-by-company basis. What a $40 billion financial services organization and a $500 million manufacturing organization view as ROI when it comes to security is certain to vary.
When it comes down to it, however, both of those organizations are looking to reduce and manage their risk. The fundamental goal, despite wildly different budgets and maturity levels, is the same.
How can we do that?
- By transforming where data lives.
- By implementing asset (devices or data sources) management.
- By implementing new frameworks, such as zero trust or managed extended detection and response (MXDR).
But those are costs, right? How does that improve security value? Because we can measure the data, and we can report on it and the associated metrics. If you can feel more comfortable with your security program, great, but if you can't measure it or see results, then how do you know? You have to be able to validate your programs via monitoring and data detection.
Examples of these metrics can come in many forms. From a reactive perspective, we're talking about things such as the total number of security incidents over time by type, mean time to detect (MTTD), mean time to resolve (MTTR), intrusion attempts over time, and number of unidentified devices on network.
From there, we lean into what I call "proactive metrics." These are metrics established to gauge how well training and vulnerability management are performing. Examples include phishing test success rate, security awareness completion rate, average number of days to patch, percentage of fully patched devices on network, and number of security incidents reported by staff.
Too often, we get caught in the "shiny object" issue, where we expect everything new to deliver in the exact way we want it — and this goes for technology products, too. Rarely, if ever, can a technology product alone deliver a holistic ROI.
If security leaders are focused on visibility and reporting on what their teams can discover, they can demonstrate to company leadership and boards that their organizations can quickly detect and respond to potential threats with people, process, and technology and rapidly re-establish business normalcy.