As many companies - and their vendors - are moving data to the cloud, there are often concerns about the security of their sensitive information. In past blogs we’ve talked about the SOC 2 audit process but what is the ROI and the benefit for your business? Remember an external audit ensures that the security programs your company has implemented meet the standards of industry acceptable security frameworks. A certification, like SOC 2 Type II, provides an independent assurance that the cloud platform they select has invested in their security program.
Some people think of SOC 2 and other security audits as an unavoidable cost-of-doing-business expense, basically a necessary evil. But SOC 2 audits can be much more than checking the box - they can be GOOD for BUSINESS. Progressive companies are treating them as investments and actually measuring positive returns. We have learned from our customers and audit partners that there is no one single way to measure ROI; instead, it depends on what's driving the SOC 2 audit in the first place. In this post, we are going to outline the 4 most common drivers for SOC 2 audits, and for each, layout an approach to measuring ROI.
4 Reasons for a SOC 2 and the ROI
Driver 1: A compelling event, such as a prospective customer or partner requires that vendors maintain compliance with SOC 2. This is done to make sure that there are basic security practices in place and to ensure sensitive data is properly stored and secured.
How to Measure ROI: In these instances, you’re doing the SOC 2 audit specifically for the purpose of winning a deal that you would not win otherwise. So, you can logically allocate the revenue from that closed deal to the SOC 2 audit. The return on the investment is thereby measured as the value of the contract won.
Driver 2: To elevate your company, using a SOC 2 audit as a competitive advantage. In a competitive bid situation, having a SOC 2 audit already completed can give your company the edge and lead to revenue growth when you compete against similar organizations that have not yet undergone an audit. The final SOC 2 report will give your business the opportunity to showcase its security to a wide range of business partners.
How to Measure ROI: Increased win-rate. If your company is operating in a market where the perception of being secure is an important consideration, (e.g., healthcare or financial services) then being able to provide evidence is likely to give you a competitive advantage. Over time, you can expect to win a higher percentage of deals. A plausible scenario could be that you win 5% more contracts than you would otherwise. For a $50 million organization, that equates to $2.5 million annually in return. Depending on the cost of your SOC 2 audit, this can be a very positive ROI.
Driver 3: To reduce the likelihood of a data breach. Operating an effective security program will go a long way toward reducing the risk of a security event or data breach. It can improve employee vigilance as well as ensuring an organization is generally more resistant to some kind of third party attack. All security breaches have associated costs - some hard costs, including fines, and some soft costs, such as reputation damage and lack of customer trust. For some organizations, an effective security program can prevent a breach altogether. Larger organizations often calculate the impact based on the number or scope of breaches. In all cases, you can build a cost estimate that is based on your country, industry and type and amount of data you store. Reports estimate the average cost of a breach between $1.25 and $8 million, but higher profile cases go into the hundreds of millions in damage.
How to Measure ROI: To calculate the value saved, first determine if you are preventing a single breach or simply reducing the number and/or scope of breaches over a period of time. Then, use a standard value for a data breach based on market estimates or your own calculation. Together the number/scope of breaches prevented times the cost of a breach is your return.
Driver 4: Because of an industry-related regulatory requirement. There are hundreds of regulatory requirements in various industries where an audit is required to show you meet those requirements. If you fail to meet the requirements the fines can be in the hundreds of thousands of dollars. From HIPAA, GDPR, CCPA - being caught in violation of these standards can be costly.
How to Measure ROI: The ROI can be linked directly to the cost of the fines, or to the opportunity cost of not being allowed to compete in certain industries or markets. If competing a SOC 2 audit will prevent a fine, or reduce a fine materially after the fact, then the return is simply the size of that fine. If completing a SOC 2 audit allows you to compete where you wouldn’t otherwise, then calculate the return using a revenue estimate for the company from that market.
Ostendio customers have tackled all of these scenarios. The Ostendio MyVCM platform can help you build, operate and showcase your compliance program from the start of your SOC 2 journey and into the future, as your organization continues to show security compliance. Want to know more about how we can help? We’d love to show you how MyVCM helps companies through this process.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.