What’s your ROI on cybersecurity?

How well does the following description fit your organisation? Around 100 – 150 FTE staff, a website and social media presence, remote VPN access for staff, and active use of email for external communications with business transactional processing? Based on real-life examples, a similar organisation could face a cyber threat once every 5 - 7 seconds just from its incoming email traffic. That threat could well lead to a security event that nobody will welcome during the Christmas and holiday season…

Effective cybersecurity requires more than an annual penetration test, good firewalls and pricey virus protection. The best defence is systemic protection that crosses internal boundaries to create a Whole-of-Organisation (WoO) culture of cybersecurity awareness and sensitivity.

An important systemic approach for in-depth protection is the adoption and implementation by the organisation of the international standard AS ISO/IEC 27001:2015 [1] Information Security Management System (ISMS), to a level of ‘Certified To’ or ‘In Compliance With’.

The scope of ISO 27001 includes:


It’s a big job, and will require your WoO commitment to the change. Senior management must lead the way, and by their participation in the process, give legitimacy to all the work. Policies, procedures and risk assessments need creation within the context of the cyber threats you face. It will take time and it won’t be cheap. If your organisation of 100 – 150 FTE staff is starting from scratch, a typical year-1 budget for adoption and implementation of ISO 27001 may well be around $150,000+ to reach the ‘In Compliance With’ level.


And what’s your Return on Investment (ROI) on all that ISO 27001 investment? In the face of a cybersecurity environment that is current, real and persisting (such as below), it offers a far greater return than a penetration test and/or a pricey virus protection application:

  • This ROI helps your organisation build a structured cybersecurity defence within the context of the risks it actually faces.
  • It also identifies for you achievable methods available to mitigate those risks.
  • And most important of all, it will inculcate a staff culture of responsibility for cybersecurity and risk mitigation throughout your workplace.

So when your ISMS is called upon to defend your organisation, the return on your cyber investment will then become priceless.

 If you would like to talk about cyber or information security, please feel free to contact Doll Martin Associates at contact@dollmartin.com.au or via the button below.



[1] Published by SAI Global Limited under licence from Standards Australia, AS ISO/IEC 27001:2015, (29 April 2015) “Information Security-Security techniques-Information security management systems-Requirements”.