Looking under the hood at ROI calculations for Security Automation

Julia Weifenbach

Threat actors continue to work faster and show greater sophistication in their tactics, techniques, and procedures (TTPs). Meanwhile, organizations struggle to keep pace because they are strapped by the persistent shortage of skilled cybersecurity professionals which, exacerbated by the pandemic, grew by 26.2% over the past year

With the aim of using automation to help alleviate the significant pressure on cybersecurity teams, 98% of respondents to our 2022 State of Cybersecurity Automation Adoption report say they have increased their automation budgets. This is great news for overworked analysts, but with that increased investment comes increased scrutiny of how that budget is being spent and the expected return on investment (ROI). Security professionals need to be armed with analysis to show the benefits and justify investments. ThreatQuotient is able to help.

Quantitative analysis

In our last blog we talked about a use-case based approach to ROI analysis ThreatQuotient recently completed to quantify the value our clients are realizing with the ThreatQ Platform. One of the key benefits of the ThreatQ Platform is enabling “balanced automation” where repetitive, low-risk, time-consuming tasks are automated, while human analysts take the lead on irregular, high-impact, time-sensitive investigations with automation simplifying some of the work. Our analysis focused on identifying prime tasks well-suited for automation and quantifying the time savings to security teams when those areas are automated. 

The following table summarizes the annual savings for each use case: 

Threat Intelligence Management
Annual Savings Realized with ThreatQ $279,552 $150,758 $186,318 $228,096 $186,624 $142,128

The calculations are based on industry research, plus experience working with multiple clients. Each use case provided enough savings to produce a positive ROI and short payback period after factoring in the cost of a ThreatQ license. 

To understand our approach, let’s dig a little deeper into two of these use cases. 

  • Spear Phishing emails contain a lot of hidden information that is useful to understand the extent and nature of the campaign, but extracting and correlating that information is difficult and laborious. ThreatQ simplifies and automates the process of parsing and analyzing spear phish emails for prevention and response. To quantify the ROI, we assumed two full time equivalents (FTEs) assigned to phishing analysis at a fully burdened hourly rate of $120. We then determined that 70% of functional tasks associated with spear phishing analysis are suited for automation.  With expected efficiency gains from automation of those tasks at 80%, we calculated an annual savings of $279,552.
  • More than 50% of IT security and SOC decision makers feel their team is overwhelmed by the volume of alerts. ThreatQ leverages automation to help address the challenge, enabling teams to manage alert triage more effectively. Through scoring and prioritization based on parameters the security team sets, ThreatQ automatically reduces the number of false positives and improves the quality of alerts. To quantify the ROI, we assumed 1,100 alerts per analyst per month. We then subtracted the number of alerts automatically deemed irrelevant by ThreatQ and quantified the time savings as a result of not having to triage these alerts. We then calculated the efficiency gains ThreatQ provides in the triage of the remaining alerts and combined the total time savings for an annual savings of $186,318.  

More details are available here

Qualitative considerations

Alongside the productivity, efficiency and security benefits, automation is arguably an equally important benefit for employee well-being. So, when determining ROI we need to include qualitative factors such as employee satisfaction and retention. Organizations are already headed down this path. In fact, our “2022 State of Cybersecurity Automation Adoption” report finds that qualitative factors around resource management and employee satisfaction are more commonly used than quantitative metrics to assess the ROI of automation programs.

By allowing automation to shoulder the burden of time-consuming manual monitoring, identification, triage, and prioritization, analysts can focus on more rewarding higher value activities. This reduces the prospect of burnout or boredom and eliminates the risk of errors resulting from either state. In an employment market where retaining employees is becoming a core challenge and the cost of churn in security teams is significant, using automation to make life more fulfilling is paramount.

While the use of qualitative aspects underscores the impact automation has on improving employees’ experience, quantitative metrics are more objective and can be useful in reports to the board when making the case for further investment. The estimated costs of employee turnover range from 33% up to 200% of the departing employee’s salary. To add more objective metrics to the human side of the equation, efforts should be made to quantify separation, replacement and training costs, as well as costs associated with absenteeism and productivity loss that can rise with employee burn out.

Now is the time to take advantage of the increase in security automation budgets by making a case for a security operations platform like ThreatQ with a proven ROI. Download our ROI whitepaper and 2022 State of Cybersecurity Automation Adoption report for additional information that can help you in that process. Then, schedule a demo or check out a self-guided tour with the ThreatQ Online Experience to learn how to use ThreatQ for your top use cases and to discuss the quantitative and qualitative benefits you can gain.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This