Chapter 4: Productivity, Efficiency, and ROI in Cyber Security

In the realm of cybersecurity, where threats constantly evolve, email security holds a unique position. It acts as both the entry point for attackers and the exit point for valuable information. The complex interplay of technological controls and human intervention makes email security a critical yet challenging domain for security practitioners.

The Challenge of False Positives

Email security is a high-stakes game, where erroneous judgments can disrupt the delicate balance between security controls and operational productivity. In the words of Joel Fulton, email security is not merely a gateway for inbound attacks like Business Email Compromise (BEC) but also an avenue for the surreptitious exfiltration of critical business data, including invoices and intellectual property. This dual role as both a defensive barrier and a conduit for data makes email security an intricate domain where the slightest misjudgment can have profound consequences.

Type-2 Errors: A security practitioner’s nightmare

What makes email security particularly challenging is the risk of declaring something amiss in the email pathway, whether it’s a gateway, source, IP address, or header, only to discover that the judgment was incorrect. In the realm of security, this is known as a Type-2 error, and it’s the one security practitioners dread the most. A Type-2 error occurs when a benign email or alert is mistakenly identified as malicious, resulting in unnecessary investigations and potential disruptions in vital business operations.

On the flip side, there are Type-1 errors, where security practitioners incorrectly declare an email or alert as benign when it’s actually malicious. These are more tolerable, and the security industry has learned to accept that some threats will inevitably slip through. However, the fear of Type-2 errors looms large because they involve the security team being responsible for potentially causing operational outages or service disruptions.

Security practitioners find themselves in a delicate predicament where they must balance robust security with operational efficiency. They are keenly aware that being perceived as the “people who block the business” is not a desirable role. Instead, they aim to be enablers of business continuity while safeguarding against threats. Email security, in this context, becomes an intricate and high-stakes game, where the cost of false positives extends beyond operational disruptions to potentially impacting an organization’s reputation and customer relationships.

Productivity and Efficiency as ROI Drivers

Seamless integration: A key to productivity gains

The path to realizing productivity gains and, consequently, ROI in security investments often hinges on the seamless integration of new tools into existing workflows. Joel emphasizes that productivity isn’t solely about adopting new solutions; it’s about incorporating them effectively into the existing security infrastructure.

Security teams typically operate within established workflows, leveraging playbooks, response protocols, and familiarity with their chosen platforms. Distracting these teams with new tools, interfaces, or workflows can dramatically impact their efficacy. In some cases, productivity may never fully recover.

To harness the full potential of a new security tool, it must integrate seamlessly into the existing environment. Consolidating alerts and operations into a unified platform eliminates the need for security analysts to navigate multiple systems, reducing complexity and preventing the loss of productivity. This integration approach is the linchpin for achieving a return on investment measured in enhanced productivity

Quantifying productivity gains

Understanding productivity gains and translating them into tangible ROI figures is pivotal. Joel suggests measuring productivity through key performance indicators (KPIs) such as mean-time-to-response, mean-time-to-quarantine, and mean-time-to-resolve, akin to the metrics used for incident tickets. By quantifying the time saved and the speed of response to threats, organizations can establish a baseline for assessing the efficacy of security investments.

For instance, consider a scenario where an organization integrates an advanced security solution. This integration results in a notable reduction in the mean-time-to-response, meaning threats are addressed more swiftly. Additionally, incidents of higher severity are handled faster, demonstrating improved impact times. This combination of quantitative measures provides a compelling case for the efficacy of the security investment.

Insights from the ROI Study

Our own ROI study reinforces the importance of productivity and efficiency as drivers of return on investment. As the cybersecurity landscape continues to evolve, with a surge in unique malware samples and escalating threats, security operations teams face considerable challenges. Our interactions with customers highlight that SOC analysts often spend extensive hours investigating malware alerts and phishing emails.

Here’s where VMRay’s FinalVerdict solution comes into play. Its automation capabilities drastically reduce investigation times. In under a minute, FinalVerdict delivers evasion-resistant threat analysis for malware alerts and phishing emails, freeing SOC teams to concentrate on genuine threats and proactive threat hunting.

Our ROI calculation is based on these operational metrics, including the reduction in investigation time and the number of alerts needing attention. The results are compelling: a typical enterprise with 10,000 endpoints could realize cost savings of approximately $1.9 million over three years, even accounting for the cost of the FinalVerdict Unlimited plan. This equates to an impressive 3-year ROI of 342%

In summary, the productivity gains made possible by solutions like FinalVerdict offer a potent mix of cost savings and efficiency enhancements. Organizations can reduce false positives, expedite investigations, and eliminate manual tasks. This makes investments in such solutions highly attractive for those seeking to optimize their security operations.

Returning to ROI and a Golden Age of Innovation in Email Security

The Role of Email Security: Enabler or Blocker?

In conclusion, this course has navigated the ever-evolving landscape of email security. We find ourselves in a golden age of innovation, with promising tools and technologies continually emerging. However, the key takeaway here is not to rush headlong into adopting the latest trends but to approach these innovations wisely.

Security leaders must consider several critical aspects when selecting new security tools. They should focus on the fundamentals, prioritize the role of security teams over tools, and assess the implications of tool deployment on overall productivity and operational complexity. When calculating the return on investment for security investments, productivity becomes a vital factor.

We invite you to explore further courses on our academy dedicated to enhancing the productivity of security teams. Topics such as “Automating Malware Alert Triage to Reduce EDR False Positives” and “Finding the Right Approach to Security Automation to Empower SOC Teams” delve deeper into these crucial aspects of modern cybersecurity.

With the right approach and the right partners, security leaders can optimize their security operations, achieving more with less, and ensuring robust protection for their organizations.