For Once, Some Incontestable ROI

Return on investment can be elusive in infosec. But a disaster averted is a blessing in disguise.

Return on investment can be tough to calculate in the realm of information security. Usually, you can't do much more than point to some "soft" ROI, such as an improved security posture for the company or the marketing advantage of being able to tout how secure your products are.

So, I think any security manager would feel good about hitting the ROI jackpot, as we recently did.

The investment in this case was our data leak prevention infrastructure, which we rely on for detecting attempts to send any of our intellectual property out of the company. For a while, the technology was hit-or-miss for us; as with any intrusion-detection software, this technology is prone to false positives until it's tuned properly. That can result in the "boy who cried wolf" syndrome.

The return on this investment came when one of my analysts picked up an indication that one of our employees was sending a company service manual to his personal Web-based e-mail account. Our service manuals (many are in PDF form) are among the crown jewels of our intellectual property. Approximately 35% of our overall revenue comes from servicing the equipment we sell, and our technicians rely on our service manuals when they conduct the various calibrations and measurements related to the proper operation of our tools.

The employee in question worked in one of our Southeast Asian offices. A large portion of our customer base is in Asia, making this potential breach even more significant.

When we have an indication of attempted theft of intellectual property, we immediately begin to journal the suspect's e-mail and review the data stored in his PC's home directory. We have no interest in personal e-mails or data, and to narrow down the search, we look for matches of keywords or certain document types.

What we turned up was worrisome, indeed. We found (with the help of an interpreter, since everything was written in a language none of my team speaks) a presentation for attracting investors. His business plan was to offer service to our customers at a discounted rate. In addition, several e-mails suggested he planned to lure many of our company's technicians to work for him. More Evidence

The plot thickened when we looked at the employee's instant messaging traffic. (Employees are informed that their instant messages may be monitored every time they log on.) There were several messages between him and a couple of other employees he was apparently partnering with. And one of their conversations mentioned attempting to partner with one of our competitors to offer service to its customers as well.

All these plans were nipped in the bud. And it's clear that wouldn't have happened if not for the data leak prevention tool. The ROI in this case? Our calculations showed that we stood to lose several million dollars per year in revenue if the employee's plan had gotten off the ground. Our initial investment? About $200,000, including the salary of a full-time analyst.

That sort of solid, hard-dollar ROI is just what I need as I seek more investments. I can now go to my C-level managers and show them the direct value likely to be derived from implementing rights management for our service manuals. You might remember that I implemented Microsoft Rights Management Software a couple of years ago, but it can't be used to protect Adobe PDF files.

Yes, it's definitely an ROI jackpot. I'll let you know whether I get the payoff in the end.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in. To join in the discussions about security, go to


Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon