"Organizations are spending an ever-larger portion of their IT budgets on security. But what does it get them?..It is hard to go to the Board of Directors to ask for more investment when you can’t even measure the impact of current investments.”
That was the dilemma that set up a roundtable discussion at the recent MIT Sloan CIO Symposium. Titled “Measuring ROI for Cybersecurity: Is it Real, or a Mirage?”, the talk featured security veterans from Liberty Mutual, Schneider Electric and McKinsey, as well as Christopher Porter, vice president and CISO at Fannie Mae, and a user of the FAIR risk model that powers RiskLens.
Here’s how CSO Online, covered Porter’s answer to the ROI question:
Some of it… involves just doing the math. If a breach results in the compromise of the credit data of a million customers, then even if providing a year’s worth of credit monitoring is only $20 per account, “that’s $20 million,” he said. “Then you figure in things like legal fees, and you can start estimating it.”
Porter said Fannie Mae uses the FAIR (Factor Analysis of Information Risk) Model that, according to the organization’s website, “describes what risk is, how it works and how to quantify it.”
Ransomware is a different equation, he said, but can be calculated by the amount of downtime involved. But that doesn’t make it easy, panelists agreed.
Read CSO Online’s complete coverage of the discussion here: Cybersecurity ROI: Still a tough sell