Calculating Security ROI, or “Halloween’s Over, So Why is my Vendor Trying to Scare Me?”

Certain technology categories lend themselves well to ROI analysis. Want to replace your old storage array with a new flash array, or your old backup technology with something new? It’s probably not too difficult to work out the payback numbers. Security, on the other hand, has been more resistant to clear ROI analysis. Vendors either give out scary per-company breach averages from Ponemon, or build some other detection-based cost-benefit number. Over time, CISOs and their brethren in Procurement have learned to discount these numbers.

UEBA is interesting because, while most buyers look at it from a breach detection lens, there is also a significant and clear operations angle to behavioral analytics for security. In practice, we’ve found that operations, in the form of incident response, is not something that many security engineering professionals have experienced. Where security engineering professionals focus on detection, algorithms, and architecture, incident response pros spend their time managing alerts, incidents, and investigations. It’s here that operational efficiency comes into play, and here that ROI can be more easily calculated.

For example, security operations centers handle some number of alerts per month, usually in the thousands. Some percentage get handled, the rest are ignored. Some of the ignored alerts had meaning and should have received attention. Each handled alert takes some amount of time, on average. Some number of alerts spawn incidents and each incident takes some other amount of time, on average. There are more details, but in general, incident response operations are more easily modeled and quantified than trying to estimate ROI using security scare stories. Determining payback will help support your hiring and technology plans.