Computerworld - Return on security investment has become a hot topic.
IT departments have traditionally been viewed as cost centers, though they have learned to provide a business-case analysis for IT initiatives. Information security departments are trying to figure out how to do the same thing.
They can't sell security initiatives based on fear anymore. They have to come up with the same justifications as any other business unit, complete with the dreaded metrics, or hard financial facts.
ROI is about revenue generation, cost savings or increased productivity. IT has learned to show, for instance, that upgrading the server farm or network will provide x% increased productivity by virtue of faster access of mission-critical applications and that installing a virtual private network (VPN) will provide x% increase in productivity by virtue of availability of the network to remote and mobile employees. But how can security prove ROI for preventive measures that require capital expenditures, additional manpower and a steep learning curve?
Some people claim that trying to prove return on security investments is a waste of time. It's all about risk management, they say. Meanwhile, security vendors are champing at the bit to prove that ROI on security is possible and have gone to elaborate lengths to prove that their products will provide significant returns. Managed security service providers are saying, "Just let us handle your security for you, and we'll show you how you can reduce risk and cost."
Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security auditing and risk analysis. She can be reached at firstname.lastname@example.org.
What are you trying to protect?
Here are some steps to take when trying to calculate ROI:
- Identify your information assets: Assets can be a resource, a product, the networked computing infrastructure, protected health information, or customer or employee data. Losses in the areas of confidentiality, integrity or availability can have a specific dollar value or be intangible, as with loss of reputation.
- Identify threats and vulnerabilities: Anything that causes an unwanted outcome is a threat. Threats come in many forms and have varied effects. Earthquakes are threats. Lawsuits are threats. Vulnerabilities are weaknesses or the absence of adequate safeguards.
- Do an asset valuation: Once you've identified your assets and the threats and vulnerabilities that beset them, it's important to go through an asset valuation process. Why go full throttle on a project to secure an asset that isn't of high value to the organization? You can create a matrix and value your assets simply in terms of high, medium and low value to the organization based on your own definitions. For each asset, consider what the total cost, initial and ongoing, is to the organization for the full life cycle of the asset. Determine what the value of the asset is in terms of production, R&D and criticality to the business model (tangibles and intangibles). Answer the question of what the value of the asset is in the marketplace including intellectual property rights.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts