SIEM and Return on Investment: Four Pillars for Success

EventTracker July Newsletter

by Jim Romeo

Return on investment (ROI) — it is the Achilles heel of IT management. Nobody minds spending money to avoid costs, prevent disasters, and ultimately yield more than the initial investment outlay. But is the investment justified?

It is challenging to calculate the ROI for any IT investment, and security information and event management (SIEM) tools are no exception.

We recently explored some basic precepts or “pillars” of the ROI of SIEM tools and technology. These pillars provide some sensible groundwork for the difficult endeavor to justify intangible costs of SIEM tools and technology.

Pillar 1. Think Risk: Before and After

Before and after — meaning life with SIEM tools and, subsequently, life without. SIEM tools help eliminate risk. In most cases, risk has a quantifiable cost. While it’s difficult to say how much was saved by avoiding a major intrusion, examining the effect by comparing conditions before, and after, is a good start.

In an ROI analysis, develop a statement such as “before we invested in SIEM practices, tools, or technique X, we were greatly at risk. After we deployed XX, our risk was greatly reduced, if not eliminated.”

Then prove and substantiate the statement. The after statement may be characterized with quantitative data, such as the number of intrusions or access points that were eliminated. The more you can quantify, the better. If you can’t quantify, estimate as best you can, but be consistent and realistic.

Pillar 2:  Think Cost Avoidance versus “Return”

In other words, don’t expect revenues or a gain from the investment.  Rather, the return is the prevention of intrusion and costly security disaster that SIEM afforded. Cost avoidance is your return.

When the security IT firm RSA published a whitepaper on this very topic (SIEM and ROI), they focused on this dimension of ROI: it’s more about cost avoidance than it is about “return.” Cost avoidance is at the heart of the value that SIEM provides.

RSA wrote, “Most experts — who for years argued for or against a ‘return on security investment (ROSI)’ — agree that the value an SIEM solution brings is primarily in the realm of cost avoidance, not ‘return’ as it’s defined in the purest economic sense. So whether you’re looking for an ROI, ROSI, total cost of ownership (TCO), or a breakeven point, the goal is demonstrable value.”

The value of a SIEM solution must be viewed differently. It’s better seen in the cost it avoided rather than the direct dividend or revenue it yielded. As the whitepaper stated: “it’s not a cotton candy machine.”

Pillar 3:  Focus on A Variable That Can Be Measured: Time

If you don’t focus on quantifiable variables in your ROI analysis, you’ll be loaded up with assumptions. And assumptions carry little weight in business justification exercises.

Instead of assuming, use time as a key variable that SIEM helps improve in several ways. Explore how much time is saved. For example, if you are in a market or industry characterized by heavy compliance and auditing, consider the preparation that such compliance requires. SIEM tools save preparation time. Time saved can be redirected to other security needs that are already competing for attention in the daily schedule of today’s busy security manager.

In addition to time saved, there’s also an improvement in reaction time. When the sky is falling, the ability of an organization to trace, find and secure swiftly and promptly is critical. Good tools enable that. Improvements in reaction time can be measured.

Add time saved and reaction time improved, and you’re using a quantifiable variable as a measure of value and ultimately ROI.

Pillar 4:  Consider the Cost of a Solution  Without Early Discovery

Disaster recovery has many costs that are both tangible and intangible. Liken a security intrusion or major breach to a medical problem: the earlier you discover it, the more options you can implement and the greater are the chances that you can mitigate risk. SIEM tools help discover noncompliance and implement detection earlier. This allows more courses of action and presents them sooner — often before an incident occurs or begins to spiral.

Without early discovery, damage may ensue. But how much does it cost?

Cost estimates of security breaches may be found in news reports.  For example, the following cost estimates of data breaches were found with a simple media search:

“Maricopa Community College data breach cost $20 million, including $2.3 million in lawyer fees.”

“The Target breach cost $17 million in third-quarter expenses.”  It should be noted there were later citations that said their fourth quarter recognized $60 million in costs, and then another editorial estimated $1 billion in costs when all was said and done.

Yet another is a headline that read: “Navy Intranet Breach Cost $10 Million.”

And the list goes on and on, with the point being that citing news media reports is a quick and somewhat reliable means of presenting the costs associated with remediation and recovery. It strengthens the case for SIEM tool purchases and helps put some urgency into cost avoidance — and is based on someone else’s hardships after an intrusion, not yours.  But it paints a picture of what the price of disaster and a large-scale breach could look like.

Determining the ROI of SIEM is not hard when it is approached in a logical way with known information built on a foundation of cost avoidance, time saved, and improved reaction time.

The ROI of SIEM is best explained in the trouble it avoids and the disaster it prevents.