According to a new digital trust report, 27 percent of business executives view security investments as having a negative return on investment (ROI).

Of these respondents, more than three-quarters said they had been involved in a publicly disclosed data breach in the past, according to “The Global State of Online Digital Trust Survey and Index 2018” by CA Technologies.

This finding led the report’s authors to conclude that “over one quarter of executives are tone deaf to modern security challenges and data breach implications, and have not learned from previous mistakes.” By comparison, just 7 percent of cybersecurity staffers said they believe security investments produce a negative ROI.

The Trickiest Metric in Security

ROI is a tricky subject in the context of information security. According to CSO Online, digital security investments don’t produce greater profits, but instead contribute to “loss prevention,” or greater savings in the event of a security incident. This suggests that increased revenues shouldn’t factor into organizations’ decisions on whether to invest in digital security.

Another CSO Online piece proposed that ROI is the wrong metric for evaluating the efficacy of a digital security program. Instead, executives and board members should focus on network defender first principles. To get to the heart of these principles, executives need to determine how network defenders should spend their time and what they hope to achieve.

How to Quantify the ROI of Security Investments

To quantify the ROI of their organizations’ security investments, chief information security officers (CISOs) should consider adopting a zero-trust approach and focusing on people, programs and technology to improve their data security posture. They should also take the lead in improving formal risk management processes that evaluate information assets and vulnerabilities.

Sources: CA Technologies, CSO Online, CSO Online(1)