Return on Investment of a SIEM

They say if you can’t measure it, don’t do it. I like to quantify investments, money spent and what is my investment's return? A SIEM (Security Information and Event Management) solution is a significant investment for any company, therefore it must produce a similarly large and significant return, right? The value of a SIEM solution are the costs it avoids rather than the direct dividend or revenue it yielded. I will show you how to calculate these costs.

What is your reputation worth?

If you don’t worry about your company’s reputation, please save yourself some time and don’t read any further!

Here is a metric to estimate what your company’s reputational worth, calculate the loss in revenue should your largest client leave your company. Let’s assume that this will only happen once in every five years, therefore divide this figure by 5 to give you an annual reputational risk cost.

The resulting revenue loss is probably enough to justify the cost of a SIEM alone. Acquiring new customers will cost you more as the opposition continuously points out, how incompetent you are.

What is your Intellectual Property worth?

Intellectual property encompasses client information, client contracts, supplier contracts, business plans, product designs, staff information, processes and software. Intellectual property has value to criminals, opposition companies, government agencies, tabloid press and disgruntled staff. If hackers or personnel steal sensitive documents, how much would you pay for them to be returned, use this figure to estimate your companies Intellectual Property worth, lets also assume this is a 1 in 5 years event, so divide this cost by 5.

Forensic Investigations

Your data has been taken and shared on the internet, your stakeholder (clients, shareholders, regulators) require you to perform a forensic investigation to determine how this happened and whether there is still ongoing unauthorised access.

The cost of a forensics investigation is significant, and increases when log files are not centrally and securely stored. If the breach is detected more than a month after the occurrence, a forensic investigation will not be able to pinpoint how it occurred, meaning the money you have to spend, could yield little results. A forensic investigation for a company of 400 people would cost between (£200 000 and £500 000) assume this only happens once in 5 years, so divide this cost by 5.

Having forensic capability which comes with a SIEM will reduce the insider threat as staff will be aware that they are being watched and are less likely to sell the company intellectual property.

Threat Response

Often a company’s cyber security includes basics such as a firewall and endpoint protection with a strong focus on the outside defences, this is known as a Garden Wall Approach. When hackers have breached this design (which is easier than you wish to believe), you will not be able to see or track the attack, giving the attackers free reign and as much time as they like. Without a SIEM you should assume hackers will steal all your sensitive documents as there is nothing watching them and alerting your business to their presence to stop them.

Now assume your company has a SIEM in place, when the external defences are breached. A “well configured SIEM” should be able to detect attacker activity as well as at what stage the attack is at, which in turn will help you to defend yourself against the attack. Attacks detected in this way, will negate a large proportion of the forensic cost and potential regulatory fines.

Fines and class action

If by now you are still not convinced about the cost saving merits of a SIEM, then consider the regulatory fines that the regulator will impose on your organisation and the rising trend in class action suits that are taking place in the United Kingdom. Clients know they can sue you for damages and it is one of the first questions asked when you inform a client that you have lost their data, “How much are you going to compensate me?”

We have cyber insurance

Cyber insurance will reduce some of these costs, however it is unlikely to adequately compensate you for reputational damages and the full value of your intellectual property loss. National Bank of Blacksburg in Virginia claimed losses of $2.4 million, their insurer Everest National Insurance Co. has offered to pay them $50 000.

https://defencelogic.io/security-monitoring.html