According to the Ponemon Institute almost 90% of healthcare firms experienced a data breach in 2016.
With a growing number of breaches and a rise in the complexity of cyber campaigns, it is no wonder that organizations are feeling pressure to address the problem. Across the globe, teams are being asked one simple question "what is the ROI of your security solution?" Perhaps you yourself have been asked that questions. Or maybe you are asking your team about ROI. As reasonable as the question may sound, ROI is almost entirely the wrong measure to use.
What's Wrong with ROI?
When you think about ROI, one of the key letters is "R", for "Return". In order for me to invest in protection (I), there should be some predictable payback of greater than R. In an ROI model, if there isn't a positive return, then I shouldn't make the investment. Security investments have no such predictable return. If the wheel of attacker fortune doesn't stop on your organization, then your investment has zero return and is all cost. If, instead, you are the unfortunate victim selected, IBM says it will cost you, on average, about $4M. So what is the predictable Return?
This was the reason why ROI doesn't work for me, after so many years working in security. The kind of investments that can be prioritized by financial return are ordinarily discretionary, are optional. The kind of investing that will safeguard firms are not. It is like asking what the ROI is for brakes on your car, or for speed limit signs on the road. It doesn't mean that we don't prioritize, but the returns need to be measured in terms of risks reduced, not capital returned.
Compliance as a Partial Lever
In some areas of security we are beginning to see this happen. When the healthcare industry recognized that patient data was at risk, you saw the rise of more prescriptive recommendations. There are examples in HIPAA and HITECH, which provide some definite precautions that organizations must take to make them more secure. No one asks, "What is the ROI of protecting patient data?", or "What is the ROI of complying with Federal mandates?", because they are not optional. They are necessary, and the "Return" is solvency and viability as a firm.
Unfortunately, much of security still remains a discipline that is shrouded in complexity, fear-mongering and unsubstantiated claims. There is no common consensus on the requirements, resulting in the constant rehashing of the symptoms of lax security strategy. These morph into the priorities, resulting in investments focused on eliminating symptoms, instead of being spent on understanding the goals, required controls, and the most effective ways to implement, deploy, and manage them.
Defining the Investment Persuasively
In my conversations with customers, it is clear that most, if not all, healthcare organizations are burdened with some meaningful type of insecurity under some new threat. Consider the following questions to map those threats to new investment as a way to improve on that old ROI dialogue:
1. How does a proposed solution mitigate the source of our vulnerability, or does it seek to identify and control a threat?
2. Have I already taken appropriate actions to fix the problem without investment, including less technical moves like moving data, removing connectivity, and limiting access?
3. As I engage with vendors, have I communicated a prioritized list of the functions that I need, including deployment capability, flexibility, and support costs?
4. When I make the selection, am I investing only in the protection necessary to keep my organization safe?
5. When I envision the organization post-purchase, what has changed in my feelings about its security?
At the end of the day, ROI is the wrong measure to use when justifying security investments of people or products. This is because it is very rare for security to drive profits, and because it is so common for bad security to reduce profits. As a result, any security investment should be limited to that which must be done to remain secure, and should be reassessed frequently to ensure that it is still sufficient. More spending than that on security or security technologies will be wasted, never showing the kind of return that product, process, or promotional investments will. This prescriptive approach will create the most effective and balanced mix of investment and security, and will enable evolution and advancement over time.
About Jack Danahy
Jack Danahy is the co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.