How do you calculate ROI for AI investments in security, given that benefits to risk reduction can be hard to quantify? What metrics best demonstrate the extent to which they’re providing value, both from your own POV as the security leader, and from the business’s POV?
Sort by:
We take a similar approach. The SOAR aspect is particularly interesting because it allows us to measure mean time to contain. We try to express ROI for AI investments in terms of KPIs and metrics, especially on the endpoint detection and response side and within the SOC. Reducing mean time to detect and contain threats, with AI providing contextualization and helping analysts respond faster, translates into a measurable dollar value.
To be honest, I really have no idea how we can calculate ROI for AI investments in security. Our cybersecurity tools are extremely expensive (second only to our core banking platform) and we do not do any of our own development, it’s all outsourced. For us, the focus is on whether a tool does what we need it to do, regardless of whether it is AI-enabled or not. From the business line perspective, when I oversaw vendor management, we looked at ROI in terms of how a tool would change current processes. We considered metrics such as employee hours required or other cost reductions but calculating ROI has always been a challenge for our business lines and project management group.
I also don't have a clear sense of how to determine ROI for AI investments in security. When we invest in tools, it is for a very distinct reason—usually to address a specific risk or business need—regardless of whether AI is part of the solution. The presence of AI is not the driver for investment. We look at how a tool might help with automation, integration, or simplification, just as we would with any other technology. AI presents new opportunities, but it is not our sole focus. Rather than seeking out AI solutions and then trying to find problems for them to solve, I look at the problems we have and consider whether AI can help address them. If it can, that is the right opportunity to pursue.
We use Abnormal AI for one of our email security products, and their reporting is quite good, much better than what we have seen with other products like Proofpoint. One useful feature is a value calculator that estimates time saved through automation or AI-based processing of incoming phishing or suspicious emails. We include some of this reporting in the metrics we provide to leadership, which translates time saved into a dollar value based on how messages are processed. I have found this approach useful, and we have applied a similar method in our SOAR platform, even though it is not strictly AI-based. We quantify hours saved per month and use that as a metric in our reporting.