Designing and implementing security controls is often seen as a cost overhead. Justifying the cost and effort of implementing certain security controls to management can often be challenging. This is when one can think of estimating the return-on-investment for a vulnerability management program. This can be quite subjective and based on both qualitative and quantitative analysis.
While the return-on-investment calculation can get complicated depending on the complexity of the environment, let's get started with a simple formula and example:
Return-on-investment (ROI) = (Gain from Investment – Cost of Investment) * 100/ Cost of Investment
For a simplified understanding, let's consider there are 10 systems within an organization that need to be under the purview of the vulnerability management program. All these 10 systems contain sensitive business data and if they are attacked, the organization could suffer a loss of $75,000 along with reputation loss. Now the organization can design, implement, and monitor a vulnerability management program by utilizing resources worth $25,000. So, the ROI would be as follows:
Return-on-investment (ROI) = (75,000 – 25,000) * 100/ 25,000 = 200%
In this case, the ROI of implementing the vulnerability management program is 200%, which is indeed quite a good justifier to senior management for approval.
The preceding example was a simplified one meant for understanding the ROI concept. However, practically, organizations might have to consider many more factors while calculating the ROI for the vulnerability management program, including:
- What would be the scope of the program?
- How many resources (head-count) would be required to design, implement, and monitor the program?
- Are any commercial tools required to be procured as part of this program?
- Are any external resources required (contract resources) during any of the phases of the program?
- Would it be feasible and cost-effective to completely outsource the program to a trusted third-party vendor?
