Cyber Risk Advisory

Valuing IR Preparedness: Identifying and Communicating ROI

February 15, 2019

In the information security community, a proactive approach to incident response is always considered best practice. Reacting in the moment can drain resources and often, the full impact of the incident may take weeks or even months to remediate. Despite this, making a case to management for the value of a proactive approach can be difficult. Buying a new tool or service provides quantifiable efficiency returns; but how do you present your case when the return on investment (ROI) for incident response isn’t as measurable?

The simple answer is to look to your past. Retroactively analyzing past incidents can provide information into the total cost of incident remediation. Through analysis, this information can be used to arrive at an ROI for investment in incident response today. Being able to evaluate incident response costs requires an organization to advance from a compliance or audit focus to one focused on long-term sustainment and continual improvement. SANS found that 32% of 452 respondents to a 2018 Incident Response Survey said they weren’t even sure how many incidents they had responded to in the past year. If you’re not capturing incident response metrics or haven’t even identified what those metrics should be, it’s difficult to calculate the value of investment and convince management that incident response preparedness is a priority. What metrics should an organization be capturing to measure incident response effectiveness?

Metrics to focus on are dwell time, the length of time between initial compromise and detection of an incident in the environment, time to contain, and time to remediate. The shorter the dwell, the less time an attacker has to explore the environment uninhibited. By limiting containment time, an organization substantially increases the speed at which they can recover from the incident. Time to contain and time to remediate are inherently correlated: by reducing the amount of time it takes to isolate the attacker, the quicker the organization can recover systems and ultimately processes. Time to remediate is critical; in the same incident response survey, SANS found that 43.6% of respondents reported that they suffered a breach from the same threat actor more than once. Reducing the time to remediate allows an organization to fortify its defenses and limit the potential for a threat actor to return to the crime scene and exploit the same or similar vulnerabilities.

When it comes to converting those metrics into dollars and cents, consider factors such as lost employee utilization, the cost to repair systems, downtime, brand/reputational damage, and lost sales. An analysis of the costs associated with past incidents allows you to begin quantifying the benefit of incident response preparedness. If last year your company suffered a DDoS attack that resulted in 300 man-hours to remediate at $100 an hour, the incident cost your organization, excluding other factors, $30k. If you’re considering the cost of a tabletop test at $20k and the value of the test being a reduction of 50 man-hours spent coordinating incident response, you spent $20k to reap an efficiency gain of $5k. At first, this may not seem like a valuable investment; however, this is efficiency gain for just one incident in one year. By multiplying that efficiency gain by the average number of incidents your organization experiences on an annual basis, you arrive at a significant ROI. SANS found that the vast majority, 44%, of respondents to the 2018 incident response survey said they experienced more than 25 incidents in that year. These efficiency gains are also not limited to a single incident or even a single time frame; tasks such as training and testing provide long-term gains that further close the gap between cost and value. Additionally, when you start considering costs beyond just lost employee utilization, the picture becomes clear: proactive investment in incident response reaps sustainable and long-lasting returns on investment.

At Coalfire, we specialize in incident response coordination and preparedness. Regardless of the complexity or maturity of your organization, Coalfire is here to help your organization establish an organized and consistent approach to incident response. From tabletop testing to full incident response program development, Coalfire’s cybersecurity experts are fully prepared to elevate your organization’s security profile.