How to target your risk treatment plans for maximum benefit in business terms.
We recently helped a new client understand the Return on Security Investment (ROSI) for their cybersecurity tools to inform their budget prioritization and planning. It’s a short story that shows the unique power of the Safe Security platform for cybersecurity decision support based on solid, defensible risk analysis in business terms.
We start by equipping our clients with the ability to Know – Understand – Communicate their risk.
The result is that a client can confidently (and repeatably) report on cyber risk across the organization.
We are not done here though. The question then becomes “What should we do about it?”
We can find an answer to this with targeted risk treatment plans to represent the impact of decisions they are considering. In other words, if the client invests in a new tool and increases control maturity in a given area or if a client remediates a specific batch of high-priority findings, it will reduce risk by X amount (%/$) at Y cost ($) across relevant risk scenarios – thus allowing you to calculate return on investment. (Read more on how we leverage the FAIR-CAM standard to assess control maturity and findings below.)
Example: Findings-Based Risk Treatment Plan
In this client’s case, their specific question was “How much value are we getting out of our top security tools?”
Example: ROI on Security Tooling Executive Summary
To answer this question, we worked with them to understand the scope and modules of the solutions purchased from the vendor and mapped these to the individual controls and the attack surface whose maturity is being supported.
For example, an Endpoint Detection and Response (EDR) solution supports the effective operation of your EDR, Incident Response, and SIEM controls (and possibly others depending on the modules you have purchased from the vendor).
Next, we made calibrated estimates to determine to what degree the solution was supporting their current control maturity.
Finally, we performed a risk treatment plan to calculate the impact of the solution (i.e., without your current EDR solution, to what degree would your risk increase?). This delta can then be used with the cost of the solution or remediation effort to calculate Return on Security Investment (ROSI).
Example: Control-Based Risk Treatment Plan – a $435K EDR solution is reducing risk on an annual basis by $1M, thus the solution has a 330% Return on Security Investment (ROSI)
More on FAIR-CAM and Control Maturity
Safe Security’s platform automates FAIR risk analysis and the FAIR Controls Analytics Model (FAIR-CAM). The model provides a standardized definition and approach to controls.
When we onboard a client, we can upload a compliance-based questionnaire (e.g., NIST-CSF), which maps findings from the assessment to FAIR-CAM and baselines the control maturity levels.
The model also enables assessment of the effectiveness of any control on three parameters – capability, coverage, and reliability – that are a measure of the maturity of the control.
Capability: how mature are the tools/processes in place (design efficacy)
Coverage: to what extent is the control implemented across the attack surface
Reliability: how often is the control in a variant-state (operational efficacy)
Maturity ratings on the SAFE One platform
In SAFE One, security findings (vulnerabilities, misconfigurations, etc.) are seamlessly detected through integrations with your security tooling stack and fed into the reliability maturity of mapped controls. The maturity of these controls then impacts the likelihood and loss magnitude of risk scenarios.
Findings – SAFE One Platform
Looking to understand ROI of your security investments? Let us give you a demo and answer your questions about the Safe Security risk management platform.
