Cost Justifying Security Spending
Return on investment (ROI) is a conventional business calculation that is used to allocate resources for maximum profitability. The calculation is simple: subtract the investment from the payback (increased profits) and divide by the investment. The reason for ROI is to account for all the costs and attribute profits generated from the expenditure. In most business situations, such as adding new production capacity, that is not hard. For security, however, the ROI concept does not work well. Many attempts have been made to develop a useful approach and even a special term, return on security investment (ROSI) has been coined, but the attempts have been less than successful. With some methods, calculations and speculations are so complex that by the time they are completed, the security situation has changed.
Why is it so hard to do?
One issue is that security does not typically contribute to profitability the way equipment, facilities, or personnel do. Therefore, it cannot produce a “return,” any more than security fences or security cameras can. The financial benefits security delivers are difficult to identify and measure, because they involve events that do not happen and might not even be recognized if they did. It is hard to project the return on investment when you cannot measure the return. Another issue is that there are so many variables, unknowns and intangibles in the world of security. There are thousands of threats, with new ones arising every day and thousands of hardware and application vulnerabilities. Moreover, the potential economic impact of a security breach is hard to predict; it can range from very small to large enough to threaten your organization's existence.
Therefore, network security ROI is both difficult to calculate and essentially of limited value. However, that does not mean you cannot make an economic case for IT security investments. You just have to take a risk management approach. Following is a simple method that can help you and your management makes reasonable decisions about security spending.
Base your investment on the risk, start with the axiom that your network is critical to your organization's survival and success; without it, you are out of business. Unfortunately, Internet access is also vital, and there is no denying that Internet-borne security threats are real and relentless, and they are becoming much more sophisticated and more numerous. It is certain that your network is being attacked all the time and some time an attack is going to be successful.
Risk management is a common business practice, and all major corporations employ it and have tables for evaluating and quantifying many kinds of risks.
If your organization has the resources to conduct comprehensive risk assessment and management, take advantage of it. Nevertheless, for most organizations, sophisticated risk management for IT security is beyond reach, because of the time and resources required. If that is your situation, here is what you can do.
First, work with your management to quantify the cost of a potential security incident, starting with a realistic worst-case scenario. What happens to your organization if your network or Web site is down for a few hours? A day? A week? It should be easy to come up with useful ballpark numbers based on lost revenues, lost productivity and other identifiable costs.
Alternatively, what is the potential cost of a security breach, where sensitive personal data is compromised and you are faced with restitution, regulatory penalties and legal costs? This is a little harder to define, but intelligent guesses based on the published experiences of other companies will help.