3 Ways to Prove ROI in SAP Security

Markus Schumacher, CEO, Virtual Forge

Markus Schumacher, CEO, Virtual Forge

For years, CIOs have focused on risk management as a key selling point for validating their budgets to the rest of the C-suite. And while that may have gotten them a decent enough budget to implement enterprise security and beef up in-house infrastructure, it's not enough to really make top-level executives sit down and take notice. Any department head can tell you that even though risk mitigation can ultimately save companies millions of dollars a year in prevention, it doesn't do much for convincing higher-ups to keep your enterprise security budget from getting slashed if cuts are being made.

These days, though, it pays dividends to pay attention to SAP security. All you need to do is look at the last year and the immense number of enterprise companies that had their bottom line directly impacted by data breaches and cyber attacks. In fact, taking a reactive approach to cybersecurity is a sure-fire way to lose money. Luckily, understanding how to speak the language of the C-suite and help non-IT executives understand the role that SAP security plays in contributing to overall revenue can make everyone's lives easier.

The Benefits of Proving an ROI on your SAP Security Investment

The benefits of being able to show a real return on investment on SAP security are pretty obvious from an enterprise standpoint. For starters, it helps make a strong case for getting budget allocation for improving security on key SAP programs that manage large volumes of sensitive customer data, proprietary company information, and critical operational procedures. Even a seemingly small vulnerability in SAP security can disrupt enterprise operations, often causing millions of dollars in damage and lost revenue. A 2016 report from IBM and the Ponemon Institute found that the average company cost for a data breach was $3.8 million dollars, so it comes as no surprise that a small SAP security investment can more than cover its cost when compared to the average financial damage that a breach can cause.

SAP security won't drive company revenue, but it absolutely will prevent financial loss if it's implemented and executed well

Challenges of Proving ROI

The problem of showing ROI in SAP security investment is really about how to quantify risk prevention and present it as financial loss prevention. SAP security won't drive company revenue, but it absolutely will prevent financial loss if it's implemented and executed well. Cyber attacks are so commonplace these days, it's more a question of when they will hit your organization - not if. A 2015 study by Duke University and CFO Magazine found that 80 percent of US companies had been successfully hacked. And this doesn't even include companies that have hacks that aren't publicized. To make a case for a return on investment in SAP security, the focus needs to be on the cost of a data breach and how that will ultimately affect the company.

Risk = Probability of an Adverse Event Happening x The Cost of the Adverse Event

Since the cost of adverse events can vary and the probability of an adverse event is largely dependent on company size, skills, time and their budget, these four factors can be used to help make a better case for investing in SAP security. Keep in mind; while there are methodologies like ALE (Annualized Loss Expectancy), it's still hard to calculate these numbers given the lack of reliable data available.

1. Cost of SAP Security vs Credit Ratings - In 2015, Moody's Investors Service announced that cyber security would become a higher priority in company credit ratings. With cybersecurity attacks becoming more prevalent, it's making companies and municipalities more at risk for operational disruption - all of which can have serious repercussions on company revenues and stock prices. Moody's—the New York based investor service that offers credit ratings for debt securities—now takes cyber security attacks and vulnerabilities into account when setting a credit rating. These ratings strongly affect the value of government and corporate bonds, which can have a strong effect on the cash flow of an organization.

2. Cost of SAP Security vs Increased Cost of Operational Overhead - Not only did Moody's integrate cyber security threats into their equation for valuing credit ratings, but FICO announced in 2016 that they had acquired a predictive analytics company to predict the likelihood of enterprise security attacks. Their new Enterprise Security score will affect everything from the cost of business and liability insurance to evaluating third-party vendors, which can have a very real impact on the bottom line.

3. Cost of SAP Security vs Cost of Data Breach - We know that the average cost of a data breach for an enterprise company is $3.8 million, so one of the easiest ways to prove ROI for SAP security is to use the same equation above (x = probability of an event happening x cost of the event) and fill in the blanks. Finding a direct ROI in a risk mitigation service is based on taking the original risk score defined as a dollar amount, subtracting what the risk would be after implementing a solution, and then comparing the result to the cost of implementing a solution.