ROAI: Why Cost Isn’t The Only Deciding Factor for Cybersecurity Compliance

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Doug Barbin of Schellman breaks down ROAI and why cost shouldn’t be the only deciding factor when meeting cybersecurity compliance.

The cybersecurity industry continues to face new and evolving challenges. With the ongoing adoption of data privacy regulations (e.g., General Data Protection Regulation (GDPR) as well as sector-specific compliance requirements like the Payment Card Industry Data Security Standard (PCI DSS) and the new US Department of Defense Cybersecurity Maturity Model Certification (CMMC), expanding security threats and additional digital footprint complexities, securing and protecting operations and business data has quickly become a top priority for businesses worldwide. With that, companies are under even more pressure to show their customers and business partners that they meet the security and compliance requirements required to do business. To make matters more complicated for compliance and security professionals, recent layoffs, heightened inflation rates, and concerns of recession have put many companies in a position where they must do more with fewer resources– impacting their compliance departments.

Many organizations turn to cybersecurity firms to audit their operations to uncover security vulnerabilities and help simplify complex compliance objectives. However, the intricacies of varying auditing assessments can make exceptional cybersecurity assessments pricey. Budgeting and cost concerns are top of mind for executives, and rightfully so. With cybersecurity insurance premiums at an all-time high, rising by nearly 30 percent in 2022, many business leaders are feeling pressure to find inexpensive solutions for their auditing assessments. While cost is a crucial factor in any business purchase – and a top priority for professionals feeling the pressure of current market conditions – it cannot be the only factor when conducting a security assessment. Instead, Chief Information Security Officers (CISOs) should consider a holistic approach, return on assessment investment (ROAI), when choosing a cybersecurity auditing partner and program.

Widget not in any sidebars

Cybersecurity Compliance: Why Cost Isn’t the Only Factor

What is ROAI?

Fundamentally, there is a top-line impact on a compliance program. A company’s adherence to a specific standard may be table stakes for selling to a particular sector like the banks, hospitals, or the federal government. Additionally, third-party audited systems and programs allow companies to use their own cybersecurity as a competitive differentiator. Hyper-scale cloud providers have created multi-million-dollar lines of business by selling to the federal government, which requires the most stringent assessment under the Federal Risk and Authorization Management (FedRAMP) program.

When ROAI is used to measure the return on a cybersecurity assessments program, it goes beyond dollars and cents. ROAI considers a combination of the expertise, scale, and capabilities an assessment firm possesses to provide a higher level of service with a lower operational cost per report when assessments are performed in a coordinated manner. ROAI also encourages businesses to consider the reputation and resources of a cybersecurity assessment firm to determine whether it can provide the auditing efficiencies and scope of auditing services necessary to not only maintain compliance but to save on costs later downstream. More importantly, the customers and partners relying on compliance reports must be able to trust the reputation and credibility of the assessment firm issuing the reports.

The Importance of Auditing Efficiency

When companies think too narrowly about risk assessments, they tend to put too much emphasis on finding a low-cost, well-known provider. While easily recognizable providers – that spend endlessly on marketing campaigns to showcase their savings – may seem attractive, more times than not, when put into practice, there are unforeseen “costs” to actually working with these firms.

Have you ever shopped for car insurance online? The big ad at the top of your Google search is enticing because it promises to save 15 percent with “rates starting as low as…” Unfortunately, once you click through, you realize the only thing you’ll be covered for is your car’s washer fluid. Often, low-cost audit firms implement a tactic known as “amendment creep,” where they announce additional add-on fees for different services or enact several rounds of changes to the original, agreed-upon audit contract. Once a contract is signed, a company is, in many ways, at the mercy of its provider; additional licensing audits, price increases, and negotiations all cost an organization time, resources, productivity, and peace of mind.

That is why an ROAI approach considers the effects of a firm’s auditing efficiency and experience to mitigate contract amendments and business disruptions. Cybersecurity auditing firms that offer 5 percent or less for the number of revisions they can propose to a contract after an agreement is made typically have the confidence, resources, and expertise to consistently deliver high-quality audits without any of the added costs or headaches.

The Power of Right-Sizing Your Cybersecurity Compliance

Hand in hand with auditing efficiencies are general administrative efficiencies for IT teams. The beauty (or burden) of cybersecurity operations is that no operation is the same. Businesses need a flexible, scalable auditing program that can mold to their company’s unique needs. Unfortunately, low-cost audit firms or approaches often use predetermined audit templates. These bolt-on solutions templates stimy customization capabilities to provide a tailored experience for a CISO’s team. Additionally, these templated auditing programs are another back door for low-cost cybersecurity firms to tack on additional fees for adjustments needed to remediate auditing needs or for implementing processes to solve inaccurate or imprecise audit results.

When considering a cybersecurity auditing partner, CISOs must consider a firm’s agility and ability to provide fast, efficient, and customizable compliance programs to adapt to their business’s evolving auditing needs. By assessing cybersecurity needs beyond cost, CISOs will discover the administrative value they can find in their cybersecurity assessment, leading to:

• Less time spent preparing for an audit
• Less time spent educating your auditors
• Less time spent responding to duplicate requests from customers
• Less time spent re-writing reports

These advantages, in turn, streamline cybersecurity assessment processes, which reduce workloads, eliminate business disruptions and lead to unforeseen cost savings later downstream. Other benefits include improved efficiencies and a better overall relationship with the auditing firm. Put differently, less time spent on draining tasks and adjustments can be the hidden ROAI for businesses when choosing their auditor beyond the initial cost.

Conclusion

For companies that want to uplevel their cybersecurity compliance programs, cost should be one of many – rather than the sole – aspects of an assessment that companies consider. Instead, cost should be a small component of your company’s larger security narrative. By vetting potential risk assessors using ROAI measurements, not only will CISOs find a cybersecurity compliance program with the necessary efficiencies and agility, but they will also find a knowledgeable and trusting auditing partner to help guide their team through their cybersecurity journey.

Widget not in any sidebars