How to Know Where to Spend Your Security Budget
By Amolak Gosal, Josh Marker, Tim McKnight, Fawn Fitter | 12 min read
You know what you’re spending on cybersecurity. What you likely don’t know? Whether you’re spending that money in the most effective way possible.
CISOs and CIOs have historically struggled to connect the dots between the amount they spend on cybersecurity and the results they get. With no reliable way to quantify cyber risk, they couldn’t prove to business leaders that they were spending the right amounts on the right things.
In fact, they couldn’t even prove it to themselves. All they had to steer their decisions was their experience with past threats, their awareness of current ones, and a gut sense of what might come next. The late information security pioneer Donn B. Parker described the field in 2005 as “an incorrect, incomplete, inconsistent folk art akin to witchcraft and Alchemy from the 14th century.” The international standards and best practices developed in the years since then have been useful – but are still not based on hard numbers.
As a result, companies confronted urgent questions that they couldn’t answer with precision: Which digital risks would cause the most expensive, frequent, or harmful losses? How much, and on what, should they spend to control those losses? And which risks might cost more to mitigate than the damage they could potentially inflict?
Half a century into the digital era, though, that’s finally changed. Through a combination of regulatory mandates for data breach reporting, insurance underwriting, and painful experience, we’ve accumulated enough data about cyber risk that leaders can now calculate meaningful answers to those questions.
“Because there are more and more losses, we have more and more data about threats and controls to draw on to build accurate risk models,” says Jack Jones, developer of a widely adopted methodology for quantifying cybersecurity risks and chief risk scientist at software company RiskLens. “The specifics of threats may change, but the generalities don’t.”
The models aren’t perfect or precise enough to predict exactly what’s going to happen and how to prevent it – that isn’t a realistic goal – but they provide the common language and framework necessary to evaluate spending, says Richard Seiersen, coauthor of How to Measure Anything in Cybersecurity Risk, one of the leading books in the burgeoning field of cyber risk management.
“You can calculate your likelihood of exceeding your upper limit of loss in a given timeframe, and decide how much are you willing to spend, on what, to lower that likelihood,” he explains.
“You can also decide that it’s too expensive to mitigate that risk or transfer it to your insurer, and just accept it – that is, worry – but at least you’re making an informed choice.”
Whether you’re new to the entire notion of cyber risk as something that can be quantified, or actively working on rationalizing your budget, you no longer have to trust instinct and luck to get the most value from your security spending. By using emerging tools and methodologies to filter what you already know about risk through a cybersecurity lens, you can coordinate your risk exposure with business goals and prioritize your spending accordingly.
Cybersecurity is risk management
Everyone has some understanding of risk and risk management. Estimating the likelihood and severity of any common negative event, such as a fire or a car crash, helps us make smart choices about mitigating the damage that event could cause, such as by installing sprinklers or requiring all new cars to have seatbelts and airbags.
Business leaders have an even more acute sense of risk. As Seiersen says, “C-level executives eat more risk in the morning than most of us do in a lifetime. They’re constantly trying to determine the likelihood of an event that might lead to loss, how big that loss might be, and what that loss might mean to the business, in order to understand what the possible future might be and how to reduce that risk or transfer it to insurance.”
But until recently, digital risk hasn’t been included in the broader conversation about enterprise risk management. Leaders have recognized that the financial, reputational, and operational consequences of a cyber attack are so potentially devastating that the question isn’t whether to invest in security, but how. They understand that the answer must include both technology, like firewalls and virus scanning software, and process-oriented solutions such as training employees to understand and avoid threats, choosing business partners based on their own security practices, and insuring against common risks. But they’ve typically handled those risks with qualitative red-yellow-green dashboards and cybersecurity standards, guidelines, and best practices from organizations like the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST). None of which tell companies how to optimize their security spending.
It seems clear that the true barrier has been the lack of trustworthy numbers. Now we have those.
It’s been argued that the rate of technological change and the in-the-weeds nature of IT security make it a special case, resistant to risk management by non-experts. However, executives and directors have learned to manage other types of risk without immersing themselves in the details. So it seems clear that the true barrier has been the lack of trustworthy numbers. Now we have those.
Different cybersecurity failures lead to different types of losses. Data breaches incur regulatory penalties. Fraud results in stolen funds. Ransomware cuts into revenues by interrupting business operations. All of these events can also generate hefty legal fees. Even though computer networks haven’t existed as long as flames or freeways, they have been around long enough that modeling various cyber risks can reveal which are most likely to affect the business, what the effect will be if and when they occur, and what to do about it. With access to this objective data, leaders can decide which threats are most urgent to their specific organizations at any given time, what is being done to manage them, how well those efforts are working, how they can be improved – and how much risk the business is willing and able to tolerate.
As with other types of risks, Seiersen says, companies need to determine the maximum amount they’re willing or able to lose in each potential risk scenario. A risk manager who applies rigorous analysis through statistics and probability can determine how likely the company is to experience different types of security events and whether the costs of any of them would be too high to endure. Armed with that information, the company’s leaders can then make more informed budgetary choices.
A quantitative model for risk in action
To guide analysis and help leaders agree on whether something is high, medium, or low risk, companies need a shared framework to discuss the scope of what’s being measured, the model being used to derive value, and the data used for comparison. Without that shared understanding, companies can spend a lot of time and money heading in the wrong direction.
Jones mentions one company that thought its most significant security risk was phishing, and that anti-phishing training for employees was the most important thing it could do. However, analytics revealed that other vulnerabilities posed a greater danger to its operations, which allowed it to re-focus its resources on mitigation measures that delivered a higher return on investment.
The methodology the company used to guide its digital risk management was FAIR (Factor Analysis of Information Risk), which Jones began to develop in 2001, when he was the CISO of Nationwide Insurance, a Fortune 100 company. Since then, he has published a standard, created a certification, founded RiskLens to create software to facilitate FAIR analysis, and coauthored a book about measuring and managing information risk. He also helped launch the non-profit FAIR Institute, which promotes standards and practices for information risk management and has held an annual conference since 2016.
FAIR presents data security in financial terms, giving stakeholders and leaders a common language to communicate what they mean by “high risk” and what additional safeguards, controls, and countermeasures to prioritize. That makes it easier to explore different scenarios and facilitate discussion to arrive at a consensus about what the most critical risks actually are.
FAIR presents data security in financial terms, giving stakeholders and leaders a common language to communicate what they mean by “high risk.”
This requires well-defined language, measurement techniques, and analytical methods. Instead of generalities, cyber risk quantification should make it possible to describe potential loss events in detail, breaking them down to specifics about the assets at risk, the threat to the assets, and the effect on the business if the threat is realized.
For example, one loss scenario might explain “theft of intellectual property” as “a disgruntled former employee takes advantage of weak passwords to breach proprietary product data, which helps another company launch a competing product line.” The organization could then calculate the value of the product data, how much market share it might stand to lose, and the cost of various improvements to network access controls, which would inform its decisions about where and how much to invest.
FAIR is not the only methodology quantifying this type of risk. Indeed, analyst firm Forrester notes that while it is the most common approach, the market for cyber risk quantification is still nascent and evolving, with new vendors applying different methods and data sources. Jones acknowledges this, saying, “At the end of the day, what FAIR tries to do is describe how risk works, so any methodology that tries to describe the same problem will be similar.”
Creating a center of expertise for quantifying cyber risk
The need to make more informed choices about IT security spending is what drove SAP’s internal security team in April 2020 to create a dedicated center of expertise for implementing FAIR. Staffed by two full-time and two half-time experts in cybersecurity risk management, the center teaches leaders across all of SAP’s lines of business how to use an external software tool that translates cybersecurity risks into financial terms, and lets them rank risks by which are most likely to happen in the next year, what their effects could be, and how well different expenditures could mitigate them.
These risk management experts are not responsible for making security funding and control decisions. They serve in an advisory role: guiding line-of-business leaders through identifying and quantifying various risks, showing them how to compare different solutions, and helping them become confident using the software tool. As business executives learn to model various combinations of risks and responses, they can tackle questions like “Which represents more risk to our operations – Web application security or data leakage?” or “Will we get more value from training employees to recognize phishing attempts or investing in more intensive network monitoring?”
This metrics-oriented approach delivers the greater objectivity and clarity that business leaders crave. In addition to helping executives connect specific security controls with measurable positive outcomes, the center of excellence shares concrete examples of how other organizations are doing the same. One example that SAP’s cyber risk managers have shared is of another company that realized a breach of sensitive customer data could cost it $6 million in regulatory fines, legal fees, and lost business. After exploring the potential results of various options for protecting that data, that company chose to spend $1 million on encrypting its data storage – not the least expensive option, but the one that would deliver the greatest cost efficiency, because analysis showed that it would both reduce the risk of a breach and lower the potential penalties to less than $250,000.
Terminology matters: Security leaders draw a careful line between this type of risk reduction or loss avoidance and “return on investment” (ROI) per se. The goal of cyber risk quantification is not to calculate an exact ROI for every security investment. The goal is to make more informed investment choices.
What comes next
For all its benefits, FAIR isn’t a magic wand for solving security challenges. For one thing, despite its status as the most mature and established framework for quantifying risk, it’s currently used by only 5% of Fortune 500 companies. To become a true standard, it needs to be adopted more broadly, both by business and by regulatory bodies. Until then, there’s always the possibility that another methodology will emerge to help companies identify the most cost-effective ways to manage data security.
“We’ve been quantifying risk for decades,” Seiersen says. “It’s a very mature practice, especially in insurance. So it’s not about using a specific approach or set of tools. It’s about hiring, training, and using people who know how to model risk effectively so you can express your tolerance of cyber risks in specific numbers, and make ongoing adjustments to your spending to keep within that tolerance.”
Companies also need deeper and more timely visibility into how specific security controls interact with each other to affect risk. In 2021, the FAIR Institute introduced the FAIR Controls Analytics Model (FAIR-CAM) to describe in detail how different security controls can affect the frequency and magnitude of loss events, but the model is still being developed, and it does not yet allow companies to track their risk exposure and mitigation options dynamically.
Finally, quantifying digital risk requires active participation from security professionals, line-of-business managers, marketing, business partners, and other stakeholders. To encourage them to participate, companies need greater automation of data collection and analysis. This will remove the biggest burden of applying risk management to data security and make it faster and easier to show the benefits.
Nonetheless, there’s still a powerful business case for quantitative cyber risk management in its current state. “Nobody knows better than the CISO what the company’s risk posture is,” Seiersen says. “So quantifying cyber risk allows the CISO to think about how best to buy down their risk exposure relative to business goals – which lets them show that security is a strategic asset rather than a drain on revenues.”
Meet the Authors
SAP Insights Newsletter
Gain key insights by subscribing to our newsletter.