Ensuring your organisation’s Return on Security Investment(ROSI)
Today’s security strategies must specify how they deliver a Return on Security Investment (RoSI) – identifying their benefits and ensuring the continuous improvement of security.
British businesses are facing myriad challenges stemming from a combination of geopolitical tensions and socio-economic issues. From the ripple effects of conflicts in Ukraine and the Middle East to ongoing protests by different groups in London and other major cities across the UK, it looks likely that disruption will continue, making it important to develop and adopt robust security policies.
The most robust strategies, from both a human and technology resource perspective, will be developed by reference to applying cost-benefit analyses. Measuring return on security investment (ROSI) allows businesses to identify gains, enhance user experience for clients and consumers, and ensure the continuous improvement of their security models.
The fundamentals of ROSI approach
So, how can you measure a return on security investment?
The first step of ROSI is to define the metrics and KPIs to gauge the effectiveness of a security posture. Moreover, businesses of all shapes and sizes must be focused on the monitoring of incident detection and whether there is a reduction in incidents. This necessitates continuous measurement, both before and after changes in security measures are implemented. A reduction in incidents indicates not only an improvement in the detection of breaches, but also demonstrates that proactive and effective preventative measures and procedures are delivering results and thereby adding value to the business.
Let’s take a company in the construction sector that has suffered from equipment theft as an example. It is vital to monitor intrusion and theft patterns before new security measures are put in place, and to use this data in a comparative analysis with the period after the new system has bedded in. At that point, it is possible to determine whether the policy and improvement programme have been effective.
The concept sounds simple, but there are a few pitfalls which organisations need to be aware of when adopting an ROSI approach. Chiefly, these stem from an absence of a proper security policy and strategy. If improvements and enhancements to security regimes are not pre-planned in line with professional security recommendations, you are far more likely to encounter gaps and weak points in the system that such measures could fall through. What’s more, it will become very difficult to properly identify the value of any action being put in place.
This makes it all the more crucial to define key security objectives, and to apply a regular methodology of conducting professional security reviews – this helps to identify gaps in the system, and where remedial measures will be most effective and deliver ROSI.
A culture of good practice
Periodic reviews of risks, threats and vulnerabilities are essential. This means implementing a programme of regular penetration tests, consistent incident reporting and ongoing staff awareness training, all with the aim of ensuring that security teams and employees are kept up to date with the risks, threats and vulnerabilities that can impact the business.
Regularly evaluating the quality of your security procedures will ensure that they become adopted and adhered to as a matter of routine. One effective method of evaluation is to use ‘mystery shoppers’ who can pose as visitors to ask staff routine questions and thereby test whether security officers and staff are following appropriate risk prevention procedures. The outcomes of these exercises will help define the level of additional training and/or changes to procedures that may be required.
For SMEs that may lack the resources to conduct regular internal audits, external professional security auditors serve as an excellent resource. These specialists can develop bespoke measurable targets for security teams and, paired with a responsible in-house person who is up to speed on current legislation and the new technologies available, can form the basis for an effective security partnership. This internal responsible person, depending on the stretch of resources within your security team, could be a dedicated security manager or an appropriately qualified facilities manager.
Security as a strategic investment
Whatever strategy is employed, businesses must treat security as a strategic investment and demonstrate to both internal and external parties that security policies and measures are delivering value – as an enabler, not an inhibitor of successful business practice. This outcome can be achieved through regular meetings among risk management teams, as well as obtaining feedback from staff, contractors and other stakeholders through surveys and regular two-way communications.
Beyond ROSI, a robust security culture offers businesses significant benefits when managed diligently and in line with a company’s security policy and strategy. It is a crucial part of reputation and standing with customers and prospective customers, as any failure to uphold key security objectives will put businesses at risk of losing out on commercial opportunities and growth. Increasingly companies will only exchange electronic data or other information with business partners that can demonstrate and evidence equal and audited standards of converged and effective cyber and physical security measures.
A strong security posture feeds into broader organisational resilience. Any business or organisation, whether it sits within the public or private sector, and has robust security programmes and a strong security culture in place, is more likely to emerge stronger from periods of difficulty and go on to survive and prosper.
Mike Bluestone CSyP
Executive Director, Corps Consult
