The ROI of Security Assessments
In the business world, Return on Investment (ROI) is used to evaluate an expense and is calculated by dividing the return (benefit) of an investment by the cost of the investment. This means a higher ROI represents a better investment. In a situation where the return and cost are tangible and easily measured, calculating ROI is not difficult. Unfortunately, calculating ROI for a security assessment is not easy because most of the benefits are intangible and are not easily measured.
The ROI of security assessments lies in the overall reduction of risk, which is accomplished by identifying and mitigating vulnerabilities, implementing or improving controls to match threat agents and attack vectors, and reducing the impact of an incident by improving incident response procedures. These benefits are difficult to measure at best, while the cost of a security assessment is glaringly obvious. Combine these two issues, and it is easy to see why companies have trouble justifying the cost of a security assessment.
Vulnerability Identification and Mitigation
A comprehensive security assessment will identify not only network vulnerabilities but also vulnerabilities in policies and procedures. The security assessment will typically confirm the vulnerabilities identified within a risk assessment and, in some cases, may identify new ones. In either case, the security consulting firm performing the assessment should provide strategies for mitigating the identified vulnerabilities. These strategies, if followed, should reduce the number of vulnerabilities, resulting in an overall reduction of risk.
It is important to understand that most vulnerabilities are the result of non-existent or poor policies, procedures, and system administration. When a security assessment is limited to only network vulnerability scanning, it may not result in an overall reduction of risk because it will not identify the vulnerabilities resulting from poor policies, procedures, and system administration.
Improved Understanding of Threats and Attack Vectors
A comprehensive security assessment should also include penetration testing. A well documented penetration test is an excellent way to gain insight into the current threat agents and attack vectors. In addition, the penetration test can identify new threats not included in the risk assessment. An improved understanding of the threats, threat agents, and attack vectors should improve the controls used to protect against those threats and threat agents resulting in an overall reduction of risk.
Preparation for Future Incidents
Another benefit of including the penetration testing with a comprehensive security assessment is the opportunity to test incident response policies, procedures and personnel. The results of the security assessment should encourage improvements in incident response procedures that will reduce the time to identify and respond to incidents. Reducing the response time during an incident may also reduce the number of affected systems and the amount of pilfered data. According to research by Symantec and the Ponemon Institute, the average cost of a data breach is 5.5 million dollars. A two percent reduction in the average cost of a data breach will significantly improve the ROI of security assessments.
The primary benefit of a comprehensive security assessment should be the overall reduction of risk. This reduction in risk can only happen when the security assessment:
- Identifies both network vulnerabilities and vulnerabilities in the policies and procedures of the organization,
- Is used to improve the controls meant to protect against threats to the organization, and
- Is used to improve incident response procedures and response times.
A comprehensive security assessment that accomplishes these three things will provide the highest return on investment.