Calculate Your ROI for Compliance-Driven Data Protection

Jeremy Wittkop, CTO


Can you measure the value of the data protection you’re using for regulatory compliance? It’s a question that comes up frequently in organizations today.

It’s understood that data security is not optional. In the 21st century, the discipline of data security has matured rapidly in response to increasingly sophisticated threats. In practice however, data security effectiveness varies widely. Some organizations protect data very well; some poorly; and others not at all. As a result of this mix of uneven and ineffective security programs, we’ve witnessed massive damage to the global economy, personal privacy and freedom, and the reputations of many company brands.

The associated costs are staggering, and regulatory agencies are continually broadening and strengthening data protection requirements in an effort to slow the progress of cybercrime. Organizations today weigh the costs of their investments against the potentially greater costs of data loss.

Every company has personal and sensitive data for some set of people. Protecting that sensitive data has become a cost of doing business, and regulations like GDPR have purposely made non-compliance penalties costly enough to ensure it makes business sense to invest in at least the minimum level of data protection.

However, data protection can be more than just a compliance line item. Your company may have to purchase tools and implement systems for compliance purposes, but nothing says those tools can be used only for that purpose. You can, and should, leverage data security investments to their maximum potential and protect not just regulated data, but all your critical data.

For many organizations, the first step to building that value is to calculate the basic return on investment (ROI) of their compliance-driven data protection program. Let’s take a look at the steps in that calculation.


Regulatory Compliance Is the Primary Driver for Many Data Protection Programs

For many years, data protection regulation has been handled on a per-industry basis through widely recognized industry-specific mandates such as the Payment Card Industry Data Security Standard (PCIDSS) and the Health Insurance Portability and Accountability Act (HIPAA) regulations. Increasingly around the world, universal rights are being granted to individuals (data subjects), resulting in new requirements imposed on those who control and process that data. The European Union’s General Data Privacy Regulation (GDPR) has garnered a lot of attention—and its guiding principles have sparked a regulatory trend across international, regional, and local levels that shows no signs of slowing.


Can You Prove the ROI of Data Protection?

If you’re tasked with justifying the investment you’re making in data security, there is good news. Even in the absence of a broader data protection program, you can measure the ROI for your compliance-driven data security solutions by using a fairly simple formula. The process does require some estimation, and you will need to conduct research to tailor the estimates to your business and situation, but you will not need perfect information.

There’s even better news: Data security is generally such a good investment, that even some directionally accurate measurements should be enough to justify the cost of the technology and program you choose. Additionally, a well-executed program will provide information that will allow you to retroactively improve your assumptions and even track and improve your ROI over time!


Calculating the ROI of data protection requires three essential steps:

  1. Do the research. Make good estimates of the number and types of records you have the potential to lose.
  2. Decide how to operate your program. One of the largest controllable costs in a data protection program is the level of effort associated with event triage. Failure to expend the necessary effort may result in increased regulatory exposure, so it’s important to get this part right. You essentially have two options: Find and retain the in-house staff to build great policies and tune them or find a service provider who will take over the burden of both policy creation and triage.
  3. Measure and adapt your program over time.


Step 1: Building the Business Case for Data Protection

The first step in building a business case is to determine the risk exposure for the organization. This essentially boils down to calculating a value known as the Annual Loss Expectancy. This is calculated by identifying:

  • the total costs associated with the loss of a single record
  • how many records would be lost each year if no protections are in place

Multiply the two and you will have your Annual Loss Expectancy.

Next, estimate your potential reduction in risk exposure based on the implementation of a control. That will give you the benefit side of your equation. You can then compare that with your total cost of ownership for the solution and you have built a cost/benefit analysis. ROI is simply an expression of your cost/benefit analysis equation and becomes relatively straightforward.

What is your cost per record? Although the fines for GDPR non-compliance have attracted much attention, they are a sliding scale and open to a significant amount of discretion on the part of a supervisory authority. This can make calculating the cost per record based on GDPR fines quite difficult. However, research exists that quantifies the cost of a data breach on a per record basis, often broken down by region or industry. This can be very helpful. I often use the number calculated in Ponemon’s Cost of a Data Breach study. For 2019, the assigned cost of a record is $150.00 Given that it is the most comprehensive research available, this is generally non-controversial.

How many records would be lost if nothing was done? This number—called the exposure rate— can be found using a variety of methods and will be different for every organization. One effective method is to look at existing error rates research and apply those error rates to data-related metrics like email volume. While this won’t give an exact number tailored to your organization, it will provide a generally provide a more accurate estimate than a method that attempts to produce an exact value.

Another method that I recommend to clients is using group estimation after calibration. In book How to Measure Anything, information research expert Douglas Hubbard provides detailed instructions for calibrating people to make good estimations. The output of that exercise will be an upper boundary/limit and a lower boundary, which will help you determine a good estimate of potential exposure with a certain confidence level. In most cases, ROI calculation is favorable even when you look at just the lower boundary (the most conservative estimate), so providing a range is generally acceptable. If in your situations the lower boundary is unacceptable but the upper boundary is acceptable, you may want to try a different approach, but those instances are rare exceptions in my experience.

Do the math. Once you have multiplied cost of record x number of records, you have a number that represents your potential loss. Compare that with the total cost of ownership of the data protection program you use. We’ll evaluate program strategy in Step 2, which will help you get an understanding of the costs of your program for this comparison.


Step 2: Define a Data Protection Program Strategy

Most organizations choose between two options for creating a data security program.

Build the program yourself. Hire the necessary resources, train those resources, and try to retain them. While this strategy is appealing to many organizations, it is difficult and costly to execute for a variety of reasons:

  • It is difficult to find cybersecurity talent at all, but data security talent is a niche skill set inside of a desperately small talent pool. Recruiting is difficult and expensive.
  • The average tenure of a data protection expert is shorter than the average amount of time it takes to fill an open position, which means each position is open more often than it is filled. This results in major risk exposure.
  • It is difficult to find appropriate training for data protection resources beyond basic administrator training. Because the skill set is so rare, it is also difficult to provide mentors for less-experienced individuals.
  • For many of the skill sets required to run a data protection program well, you likely will not need a full-time resource. However, since the skill set is specialized, it is difficult to leverage a fractional resource in other areas of the business.
  • Accounting for time off, training requirements, and redundancy often requires organizations to choose between over-staffing or having time periods where their data is unprotected. Neither is ideal.

Choose a managed data protection services provider. For many organizations, this choice is preferable. However, many have tried and failed in this strategy because they have chosen the wrong provider.

Data protection is a niche skill set; just as you can’t easily hire a network engineer or firewall expert to run your in-house data protection program, you are similarly unlikely to find success leveraging your generalist managed security services provider (MSSP) to provide focused data protection. The wrong provider may provide only partial or piecemeal services—for example, they manage only your server infrastructure, or they handle the server infrastructure and do policy work on demand.

The managed data protection provider you choose should address four major areas to ensure a successful program:

  • Application management
  • Scope and policy governance
  • Event triage and incident management
  • Reporting and analytics

InteliSecure is one of only a few specialized providers that offer this comprehensive managed data protection approach.


Step 3: Ongoing Measurement: Look Beyond Compliance

Once you have built and deployed your program, it’s time to measure it. Best practices state that systems be run in monitor-only mode for a defined time period to tune and normalize policies and assess business impact prior to enforcement.

This monitoring period gives you the perfect opportunity to validate or challenge your assumptions with respect to the number of records that are being exposed. Feel free to refine your calculations based on actual data. In most cases, the actual number of potential exposures turns out to be significantly higher than the initial estimate, but it can be the other way around.

After initial monitoring, you will have an opportunity to take action. The percentage of records subject to some enforcement can allow you to challenge your assumptions about how much the applied control has reduced risk exposure.

Remember that we are talking total number of records, not total number of events. Some organizations deploy controls to only the largest transactions. For example, they may take action on 5% of events in order to minimize the impact to the business—but those actions end up reducing risk at a record level by 80% or more. Ultimately, there is a fair amount of control at the program level to determine how much risk is reduced. Measure your program, update your calculations, and adjust as necessary.

Measuring ROI Can Expand Your View of What’s Possible

An ROI estimate can be a tremendous decision-making tool. Once you have completed these steps, if your preferred program strategy does not yield a favorable ROI, it might be worthwhile to run the calculation again leveraging a different approach to Step 2. While many organizations would prefer to run their programs in house, that approach is rarely more cost effective than working with a managed data protection services provider, largely because of the variety of skill sets required and the economies of scale that service providers have.

You can and should measure ROI for your data protection program. If you’re working with a data protection strategy that is solely compliance-focused, your calculation may be fairly easy. But calculating ROI is possible even for programs that protect other critical data assets, including your highly valuable intellectual property.

Regardless of your ultimate aims for your program, build your business case, challenge your assumptions, refine your models, and make good decisions. More data and better tools are available now than ever before to help you quantify the value of your data security investment!

Need Help Calculating YOUR Data Protection ROI?

InteliSecure works with clients across industries to calculate the value of their data protection programs—and design cost-efficient, effective data protection strategies that meet their specific needs. Let us help you find the data protection solution you need. Contact us for a no-risk security assessment.