In a previous life, I worked for a company that provided both web performance and web security software. When the inevitable question “What kind of ROI does your software provide” arose, I was always a bit jealous of my colleagues on the performance side of the house. If our customer was a media company or an e-commerce company, tying an increase in web performance to an increase in revenue was relatively easy: Sites that load faster typically create more sales. Over the course of a month, even a .01 second decrease in “load time” can mean millions or even tens of millions in extra revenue. Revenue is top line and is typically what an investor considers to be a “Return” in the “Return on Investment” equation.
The value of security software is typically in risk mitigation or prevention of a loss, as opposed to increase in revenue. Can the loss be quantified? Yes — but the calculations are not quite as straightforward as they are for performance software. In my present life I work in IoT/OT security, which typically saves a company money or prevents a loss in four different ways:
- Cost of a major safety or environmental incident. If a chemical plant explodes and causes environmental damage, the clean up costs, legal liability costs, and brand impact can be measured in hundreds of millions of dollars or more. The BP oil spill is the worst-case example of this, having cost the firm more than $60B.
- Prevention of downtime. Whether we’re talking about a website or a manufacturing plant, downtime causes measurable and quantifiable loss. For example, if a manufacturing plant typically creates goods worth $1 million a day and the plant itself goes down for a day, the loss is $1 million. And as we saw with NotPetya and LockerGoga, for example, is that downtime leads to quarterly financial losses that affect everyone, from plant personnel to management teams and shareholders.
- Theft of trade secrets. Pharmaceutical firms spend years developing new drugs. Oil & gas firms, for example, can spend hundreds of millions finding new sources of oil or developing proprietary refining processes. The cost of losing this type of sensitive corporate intellectual property to, only to have their proprietary information stolen by nation-states or competitors — via breaches of OT systems such as historians, for example — can also be measured in the millions of dollars.
- Avoidance of regulatory fines. If a vertical is heavily regulated, a lack of adequate security controls can lead to fines. These fines don’t typically make headlines, but industries such as energy utilities, pharmaceuticals, oil & gas, and nuclear are heavily regulated and thus are painfully aware of what types of security controls they need in order to avoid regulatory fines.
There are other costs to consider. Particularly in the case of IoT/OT security, simple security controls can also lead to quicker identification and resolution of operational inefficiencies caused by misconfigured or malfunctioning equipment. Once those inefficiencies are fixed, the firm ends up making more money — sometimes by producing more stuff at the same or lower cost.
IoT/OT security software might not provide ROI in the traditional sense, but it can certainly help you mitigate risk and avoid a loss. For a real-world example of how CyberX helped a $5B US manufacturing company avoid millions of dollars in losses, click here.