Security incidents have been increasing dramatically in recent years. According to Enterprise Management Associates, 92 percent of all businesses face at least 500 alerts every day. Providing 100-percent coverage would require a sufficient number of analysts to evaluate that many incidents daily. Without adequate staffing, an organization can easily be severely affected by an incident that the team cannot address in time. Given the current shortage of qualified cybersecurity professionals, however, few organizations can recruit and retain a large enough staff to deal with the volume of incidents that they face. Instead, companies are turning to security automation to bolster their defenses. The problem is that it can be difficult to determine whether the money spent on security planning and automation is providing an acceptable return on the funds invested. Fortunately, measuring the effectiveness and ROI of security technology requires analyzing only a few basic factors.
1- Incidents Detected
How many incidents does the team react to and have queued each day? Can the team investigate all of these incidents, events and alerts in a timely manner? The longer it takes to investigate an incident, the greater the risk of a dramatic financial impact.
2- Staffing LevelThere is a high demand for skilled cybersecurity analysts and a limited pool of candidates, especially those with the training and experience to detect attempted or successful intrusions. The talent gap is expected to get worse before it gets better; the global shortfall is projected at 1.5 million by 2019. Due to the shortage, skilled analysts are commanding high salaries. An organization needs to evaluate what its talent gap is, and the budget needed to add personnel. Even if an organization can afford to hire enough analysts to cover every incident, it may not be able to find qualified candidates or retain them as employees for very long.
3- Duplicate AlertsEvery time an incident occurs, information is generated. However, it can be difficult to identify the duplicates. If a team is using manual processes or obsolete systems to handle duplicates, time and resources are being wasted for little or no return. Identifying the number of duplicates can provide insight into the time that analysts are spending on an activity that can hardly be classified as productive.
4- False PositivesPositive notifications can generate panic and increase stress levels until investigations prove that they are actually false. False positives may seem to be little more than an inconvenience, but imagine what it is like to deal with false positives several times every day, knowing that there is no feasible way to eliminate them from reports. Like duplicates, false positives are costing analysts time that could be better spent on productive activities.
Once you know the total incidents that your organization must address each day, divide that number by the number of team members that would be required to handle them. Multiply your answer by the average salary for the job. Add in a percentage for health benefits and overhead, including office space, equipment, etc. Include an amount for recruiting costs. You now have your cost for an internal security team operating without security automation.
Now calculate the percentage of all alerts that are duplicates and false positives. Multiply this percentage by your total costs to determine how much money is being wasted on these activities. You will probably discover that you are spending a substantial amount of money without receiving any tangible benefits.
Once you know what you are spending, it should be easy to make a strong case for security automation. In many instances, the money wasted can more than offset the costs associated with obtaining a robust platform that will keep your organization more secure and allow your staff members to accomplish more in less time.
Learn More About Proving ROI on Security Automation
At Demisto, we literally wrote the book on security automation ROI. You can download our e-book for case studies describing ROI realized by real customers through automation and collaboration.
Demisto is an industry leader in the field of incident response and security automation. Demisto Enterprise has been recently named by Network World as one of the top five "must-have" security products. From automated playbooks to integrated threat intelligence, we offer the tools that you need to utilize your resources more efficiently.