As I have discussed in the past few blog posts (here and here), evaluating internal systems and services is a key component to understanding your organization’s security posture. One methodology is measuring your risk against the CIS Controls to determine the strength and weaknesses of risk treatment. Put simply, once you understand your risks, you’ll have a better idea of what it will take to proactively address them.
Inevitably there will be gaps – not just in your security processes and implementations, but also in the measurement of control effectiveness. These gaps should be identified and managed as action items to improve the overall security posture of your organization. The determining factor for many organizations is where to focus effort. Start by asking, “What will have the greatest effect on reducing risk?”
With any security decision, implementing new solutions and controls will likely require a monetary expense. This is where you’ll benefit from the ability to determine the cost of a potential risk versus the cost of the control. Here’s one way to calculate Return on Investment (ROI) to account for the cost of risk vs the cost of control.
Let’s use phishing attacks as an example. Say your organization expects to get phished 5 times per year, at an estimated cost of $35,000 per successful attack. The cost to train employees to spot and avoid phishing emails is expected to be $25,000. Here’s what the security ROI would look like:
In this example, it makes monetary sense to invest the $25,000 in training to help reduce the risk of a successful phishing attack. Remember that each organization is different, and determining these variables will be based on circumstance and risk tolerance of the organization. As with any application of the CIS Controls, the cost to implement will depend on the estimation of risk reduction and other local factors.
Looking into multiple cybersecurity solutions for the same risk? To compare mitigation strategies, run each one through the risk-reduction ROI formula above and determine which is best at reducing your risk surface. You can also use this formula to determine which risks are the most cost-effective to address and which will help prioritize your defense strategy. Of course, any strategy must also be calibrated against the business’ operational and organizational goals, with respect to the risk of greatest importance or control deemed most crucial for cybersecurity. Nevertheless, this equation will prove useful in helping your organization review the cost of solutions per technical control.