on

Calculating the ROI of Digital Risk Protection (DRP)

Businesses see huge value in their digital assets, and this is fuelling the need to manage associated risks – making digital risk protection (DRP)  a significant corporate priority.

DRP is a critical part of the cybersecurity toolset, and one that marks an important evolutionary step in the development of advanced threat intelligence-based services. But DRP’s emergence is only partly due to its acceptance by senior cyber professionals and experts. Its status as a key component of risk strategy is all about its ability to be understood and embraced by business leaders rather than just people in technical roles.

How DRP taps into tangible business value

DRP is important because it enables the business to understand risk in the context of digital asset value, and the potential impact to the business in terms of (principally) revenue and reputation.

Gartner recently published (July 2020) a paper on “Critical Insights in Digital Risk Protection Services”  that reflects the expanding value of DRP across multiple organizational functions from security to sales, marketing, HR and risk/compliance – going from a 1% target audience for the DRP services category today to 10% by 2025.

It highlights 5 key use cases:

  • Mapping digital assets (digital footprinting) and any associated vulnerabilities, misconfigurations, etc. that leave them exposed
  • Brand protection, such as preventing cybersquatting, fake profiles/impersonations of key employees, etc.
  • Preventing account takeovers, such as credential theft
  • Monitoring and mitigating fraud campaigns, such as phishing detection and credit card compromise
  • Data leakage protection e.g. of intellectual property

These use cases demonstrate two important principles. Firstly, that digital assets exist beyond the ‘owned’ IT estate and the corporate perimeter such as in cloud applications and databases, third-party supply chains and social media ecosystems. It’s everything to do with brands, products and employees. This also makes one organization’s digital footprint unique from all others.

The second key principle is that, as business becomes more digital, the challenge of managing these risks is constantly expanding as organizations progress their digital transformations. In most debates about digital transformation, there are clear ROI-driven business cases spelling out the upside opportunity in relation to cost.

Calculating the ROI is DRP is closely linked, though somewhat imprecise. You can’t fully realize the opportunity of digital transformation if you fail to manage the risk. In other words, DRP delivers ROI in the form of risk avoidance – and not just in giving expanding digital initiatives a better shot at realizing their value.

DRP is fundamental to enabling a business to continue functioning and mitigate the risks of cyber-attack, so we should ask whether the question of ROI is even relevant. Businesses have operated risk teams and GRC (governance, risk and compliance)  teams for decades and no-one would ever think about questioning their ROI. DRP is simply a new digital element that has arisen in line with new digital realities. Shouldn’t the same attitude to ROI apply?

How digital risk is relevant across the business

With or without clear ROI, digital risk prevention is successfully transcending departmental lines and becoming directly applicable to specific functions of enterprise organizations.

Obviously the security department will be concerned with harnessing DRP capabilities (e.g. to detect fraud campaigns, close down phishing attacks, prevent data leakage and monitor threats across the open, dark and deep web) and so will the broader IT function as part of measures to identify and control ‘shadow IT’ and ‘forgotten IT’. But it’s the other, non-IT lines of business where DRP is relevant and stimulating interest.

For example, marketing’s chief responsibility is the company brand and managing how this is presented to the outside world, what’s communicated by key spokespeople and how customers and other audiences engage via an increasing number of digital channels. Hence DRP capabilities, like brand protection, policing rogue/fake mobile apps and preventing takeover of corporate/VIP social media accounts, is critical. Success or failure here feeds into the KPIs of the marketing department, which typically relate back to revenue. That’s another positive ROI case for DRP, especially where it’s used to stop customers mistakenly spending their money elsewhere, or being compelled to because the brand is tarnished.

HR departments also have an interest in DRP, particularly monitoring capabilities of digital collaboration platforms and social media. Are employees compliant with the obligations of certain policies governing, for example, inappropriate conduct, hate speech, etc.? Again, this value is hard to quantify, but undoubtedly substantial as well as labor-saving compared to attempting to manually monitor these platforms.

The broader issue of compliance is something that legal departments and risk/compliance teams focus upon. Their interest in DRP would naturally crossover somewhat with HR in cases where intellectual property was at risk. Due diligence projects in relation to third-party contracts and potential M&A would also be strong use cases for employing DRP to ascertain some form of digital risk assessment prior to a deal. ROI again comes in the form of risk avoidance, cost reduction and increased efficiency.

The value of DRP is only realized when intelligence is acted upon

Failing to manage risk will reap a very significant cost that is difficult to measure precisely. And so it is with weighing up the importance of digital risk prevention: the value is undoubtedly huge, but it’s always tricky to calculate the positive from preventing a negative.

DRP satisfies both business imperatives and cybersecurity requirements, but only when it makes best use of advanced real-time threat intelligence to describe the full extent of unique digital footprints, and enable threats to be mitigated.

And this is the key to understanding the value of DRP: not only harnessing threat intelligence to manage the risks of digital transformation, but having full coverage of sources to provide a complete picture, lightning-fast real-time speed to pinpoint the fastest possible response to incidents, and the right balance of machine-based and human analysis to deliver the necessary context to inform accurate decision making.

The problem with DRP and threat intelligence ROI

Enterprise cybersecurity budgets were difficult to justify when executive leadership found it hard to balance the costs expended against a measurable return. Today, boards are better informed and appreciate the value of security investments to guard against the disastrous consequences of, for example, a major data breach.

But ROI is a blunt tool for decision making in this context. “It is worth the investment?”, and “How can we control costs?” are more applicable. “What is the potential cost of NOT doing this?” is really the killer question.

When combined with threat intelligence, its value is non-negotiable. Independently of whether it can point to an ROI or not, a brand can’t afford to lose customers, get its reputation damaged, lose intellectual property or suffer the regulatory wrath of breaking privacy regulations on personal data. Why? Because it’s a matter of life or death for a company right now.

So even without ROI, DRP and TI remain necessary. It’s a question of safety. More airbags in your car do not require an ROI, nor does a better alarm system in your house. But these are still decisions to make to further protect yourself. And with cyber threat levels so high, can you afford not to?

Demo Free Trial MSSP
Program