Calculating the actual return on an investment (ROI) of investments in cybersecurity is always going to be little tricky because an organization is essentially trying to assess how much they saved based on an event that didn’t occur. It may be possible to count the number of attacks launched against an organization that have been blocked. However, it’s not possible to determine how lethal or costly any of those attacks might have been if they had successfully been able to compromise the cybersecurity defenses in place.
The one that is apparent is the cost of a cybersecurity breach is rising. A new report from IBM finds the cost of a data breach has risen 12% over the past 5 years, which now on average costs $3.92 million. The report also notes that companies with less than 500 employees suffered losses of more than $2.5 million on average. Data breach costs in the U.S. are on average highest at $8.19 million, more than double the worldwide average.
Based on data collected by the Ponemon Institute on behalf of IBM, the report also reveals that 67% of the costs incurred by a data breach are realized within the first year. Another 22% are accrued in the second year, while the remaining 11% is incurred more than two years after a breach.There is a demonstrable ROI on cybersecurity and tested incident response plans. Click To Tweet
The survey does note, however, that organizations that have a dedicated incident response team that has been tested are able to consistently minimize the cost of a data breach. Organizations with an incident response team that also extensively tested their incident response plan experienced cost that were on average $1.23 million less than others, so clearly there is a demonstrable ROI that can be attributed to cybersecurity. The challenge cybersecurity teams face is gathering their own set of metrics to prove the case in their specific environment.
The Ponemon research also covers breaches involving more than 1 million records, which collectively cost companies a projected $42 million in losses. Among those organizations, breaches involving 50 million records are projected to cost companies $388 million. The point is that it’s difficult to project true data breach costs when a handful of mega breaches involving a small number of organizations tend to skew the results.
Regardless of the metrics being used, however, it is apparent business leaders want cybersecurity teams to demonstrate some form of return on their investment. Cybersecurity is taking up a larger percentage of the IT budget and as threats become more sophisticated there is a high probability costs may rise as organizations realize they will need to invest in new cybersecurity technologies to combat those threats. There will, of course, be an opportunity to rationalize some cybersecurity investments to help pay for the acquisition of those new tools. However, it may take a while before the benefits of that rationalization manifest themselves, which means cybersecurity teams will need to make the case for additional upfront investments.
Put it all together, it’s clear existing investments on cybersecurity technologies are making a positive impact. The trouble is that in the face of a data breach involving costs measured in millions of dollars, it’s hard to get business leaders to appreciate how much worse things really could have been.Cybersecurity is making a positive impact, but in the face of a multi-million dollar data breach, it’s hard to appreciate how much worse things really could have been.Click To Tweet
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.