Maximizing Cloud and Cybersecurity Expenditure Effectiveness Through Infrastructure as Code (IaC) and the Return on Security (ROSI) Metric
One of the greatest issues faced by cybersecurity professionals is justifying their cybersecurity spend. Unlike a traditional technical project where one can forecast the value through commonly accepted financial methods such as Net Present Value (NPV) or Return on Investment (ROI), cybersecurity is generally concerned with preserving value as opposed to generating new value. Basically, companies spend on cybersecurity for protection rather than for generating additional business or adding efficiencies to current processes. This is not the case if the primary product of the company is cybersecurity of course but most companies are not based around a cybersecurity product they have developed. As a result, it is difficult for cybersecurity professionals to effectively justify their spend to their managers or the CFO. Even worse many cybersecurity professionals are unable to allocate resources as effectively as they could. One way to bridge this gap between finance and cybersecurity is by implementing metrics-based management and one of the most prominent metrics is Return on Security Investment (ROSI). ROSI is a topic unto itself but at a high-level it allows one to calculate a financial return on security spend. This is a good metric to use for cybersecurity architects and CISOs to make the most of their finite budgets while maximizing their cybersecurity.
ROSI is calculated as follows: ((Annual Loss Expectancy * Mitigation Ratio) – Cost of Solution) / Cost of Solution. The parameters of “Annual Loss Expectancy” and “Mitigation Ratio” vary wildly across organizations and are usually at best educated guesses. What is definite however is the “Cost of Solution” parameter which does not vary. When I architect cybersecurity solutions for cost effectiveness I like to focus on this parameter of the equation because it is definite and usually the most accurate part of the equation. One of the most effective ways to reduce the variation of the Annual Loss Expectancy and Mitigation Ratio input is to use Infrastructure as Code concepts to standardize code and infrastructure deployment. If one uses IaC best practices in conjunction with on-demand provisioning (which is what the Cloud offers) one can reduce the variation of the Annual Loss Expectancy and Mitigation Ratio calculations while at the same time optimizing the Cost of Solution parameter by not needing to provision a security solution until it is necessary and then when it is deployed keep it consistent with the rest of the technical architecture. This means more effective cybersecurity for less money! This topic can get incredibly detailed and I plan on writing some more articles on the future about this as well as perhaps sharing some cloud and cybersecurity architecture best practices around it. I must go for now but feel free to connect with me if you share an interest in this space or would like to talk more about it!
---
About Steve
Hello! I am a cloud architect and cybersecurity engineer with both hands-on engineering and management experience in application development, cybersecurity engineering, cloud architecture, devops, and information technology. In addition to my engineering experience I recently served as the Information Security Officer and Head of Cybersecurity for a private equity backed company that developed its own banking software, processed 9 billion USD annually, and held the financial and medical information of 30 million consumers. In this capacity I used my engineering skills as the company cybersecurity subject matter expert daily along with my managerial duties of running the Information Security Department (SOC 1, SOC 2, PCI, HIPAA compliance, budgets, vendors, cybersecurity engineers and analysts). Working with a great team we successfully defended the company against all internal and external threats for three years which led to a successful company acquisition.
I combine technical engineering expertise and communication skills with strategy to optimize organizational effectiveness and am a practitioner of data-based decision making and analysis for maximum positive organizational impact and competitiveness. My professional interests include working on challenging and innovative engineering projects and solving technical issues in the areas of cybersecurity, cloud architecture, application development, and devops.
I enjoy connecting with new people as well as sharing technical expertise and experience with both engineers and non-engineers alike so feel free to connect with me on LinkedIn and send a message!
