July 24, 2003
(Computerworld)
Return on security investment has become a hot topic.
IT departments have traditionally been viewed as cost centers, though they have learned to provide a business-case analysis for IT initiatives. Information security departments are trying to figure out how to do the same thing.
They can't sell security initiatives based on fear anymore. They have to come up with the same justifications as any other business unit, complete with the dreaded metrics, or hard financial facts.
ROI is about revenue generation, cost savings or increased productivity. IT has learned to show, for instance, that upgrading the server farm or network will provide x% increased productivity by virtue of faster access of mission-critical applications and that installing a virtual private network (VPN) will provide x% increase in productivity by virtue of availability of the network to remote and mobile employees. But how can security prove ROI for preventive measures that require capital expenditures, additional manpower and a steep learning curve?
Some people claim that trying to prove return on security investments is a waste of time. It's all about risk management, they say. Meanwhile, security vendors are champing at the bit to prove that ROI on security is possible and have gone to elaborate lengths to prove that their products will provide significant returns. Managed security service providers are saying, "Just let us handle your security for you, and we'll show you how you can reduce risk and cost."
Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security auditing and risk analysis. She can be reached at marcia@wilsonsecure.com.
What are you trying to protect?
Here are some steps to take when trying to calculate ROI:
Gather metrics
Once you understand what you have, you need to understand what it would cost the company to lose it vs. what it would cost to safeguard it. There are standard formulas that can be used:
The Exposure Factor (EF) for a particular asset is the percentage of loss if an event occurred.
Single Loss Expectancy (SLE) is the specific dollar amount assigned to the event if it occurs.
Annualized Rate of Occurrence (ARO) is the estimated frequency in which the event could occur.
Annualized Loss Expectancy (ALE) is derived by the following formula:
You have a list of assets; you've ranked them according to importance to the organization (qualitatively and quantitatively); you've attached dollar figures to the loss or unavailability of the asset. You begin to understand the risk. There's no fear in these calculations. There's a realization of value and risk. The need to place a priority on security projects should be clearer.
Stop. I am tremendously oversimplifying this, but if you can get this far, you will be further than most organizations. The effort involved in pulling this information together takes a dedicated team effort from across the organization (engineering, marketing, sales, finance, IT, security, executive management, development, production operations). It's no simple task. Some excellent work in this area is available that applies these formulas in depth to various scenarios. Read David Kinn and Kevin Timm's two-part series on justifying the expense of intrusion-detection systems.
Safeguards
This is where you set about to understand what types of safeguards are necessary to implement and in what order they should be implemented. This is also where you prioritize projects based on the asset valuation process and figure out how much it's going to cost. Now, you can set about to determine what the ROI on security could be. Forward and creative thinking is required. To suggest security solutions at this juncture would be wrong. Each organization, each industry, is unique, and legislation (such as the Graham-Leach-Bliley Act, HIPAA, the Sarbanes-Oxley Act) is driving organizations forward at an urgent pace.
Real return?
It has been suggested that there is no real return on security investment -- there is only risk management. However, ROI isn't strictly about generating revenue; it's also about increasing productivity and cost savings. There are very few cases of security initiatives that can actually provide revenue generation. You can provide a means by which revenue can be generated, such as creating a secure VPN environment through which customers and partners can transact business. You can buy a network management system that costs you $300,000 and have one network engineer man it vs. hiring four network engineers to individually monitor systems and log files, correlate data, draw conclusions and make changes to the system. Not a hard sell. What about purchasing an intrusion-detection and -prevention system? You have to hire an employee to administer the system if you don't have one already. You will pay for the installation and training on the system. How do you calculate the ROI on that?
You need to familiarize yourself with recent studies and industry reports. One report, titled "Cost-Benefit Analysis for Network Intrusion Detection Systems" (download PDF), that came out of the University of Idaho provides useful statistics and methods. The research paper takes a quantitative and qualitative look at the security risks in a distributed network environment, creation of a cost model and cost-benefit analysis for an IDS. The methods and models used in the report are a good template for evaluating ROI. The author and researcher's work is now being widely read and quoted.
The conclusion is that you can develop return on a security investment. To do that, you're going to have to dig deeper than you probably have had to in a long time. You have to get the big picture first and then drill down to the most minute detail, and when you've done that, you'll be close to proving how a security initiative is going to reduce cost, improve productivity and even possibly generate revenue.