Network security: Where's the ROI?

The argument might be, "When did an alarm system or the lock on the front door return money back to us?" These are physical security measures that everyone has to take in order to keep intruders out or help keep honest people honest, and you could claim that doing so gives you a break on your insurance, right? But, really, where's the ROI?

Knowing that organizations spent more than $10 billion worldwide on network security equipment during the last few years, this argument that there is no ROI starts to sound like it has merit. In fact, even after spending all this money, many organizations experienced expensive downtime -- due to hackers, viruses, worms, spyware, spam and malicious insiders.

To explain why I think there is, in fact, ROI to be found in network security let me first give you a quick crash course on ROI. The way I calculate ROI is to determine the total cost or investment into something and then look for a return of at least double. In other words, if you invest $100,000 per year into a salesperson, if they don't generate at least $200,000 in net revenues then they did not return a +100% ROI. If they brought in $150k in net revenues then there is a positive ROI, but it's a +50%. If they generated $100,000 in revenues then you broke even on this investment in this salesperson and our ROI is 0%. I'm sure you would agree that a +100% ROI is better than 0%.

Now that we've completed the ROI crash course, I'm going to turn the tables and show you that there is indeed a positive ROI to network security. Before you can measure it to prove it to your CEO, CFO or the board, first you need to have my crash course on risk assessment and then we'll tie it all together.

My crash course on ri

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Return on investment Proven IT ROI strategies in an economic downturn Key to customer service satisfaction: Simplify complexity BPM software: How to find fast ROI on smaller projects IT leadership and strategy guides for CIOs Cost reduction tips for your strategic sourcing contracts Tips for enhancing IT's role in improving the current economy Unearthing the potential paybacks of enterprise risk management IT asset management focus drives Toyota Motorsport SaaS ERP software can deliver ROI, compliance for the enterprise IT ROI strategies guide for CIOs Enterprise information security management Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Mobile data protection options for enterprise CIOs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options ROI Strategies SaaS ERP software can deliver ROI, compliance for the enterprise VoIP savings seen in productivity and long-distance charges Green IT strategies could lead to hefty ROI Disaster recovery plans bring peace of mind, ROI Midsized outsourcer perfect fit for midmarket firm Network upgrades bring faster apps and ROI Mobile technologies: Creating an effective business plan Managed security services stop spam, deliver ROI CMS proves its ROI mettle Blogging's ROI becoming clearer

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

sk assessment is easy: R = T x V x A. That is, (R)isk is equal to the number of (T)hreats against your organization, multiplied by the number of (V)ulnerabilities you have and then by the number of (A)ssets. Threats, vulnerabilities and assets are all weighted by how serious the threats and vulnerabilities are, and how valuable the asset is.

Here is a for instance: What is the risk that your salesperson will not meet his quota of $200,000 per year if at the end of every quarter, the mail server goes offline and the network fax server won't send out quotes and invoices or accept inbound purchase orders because these servers were operating in a risky environment that was constantly hammered by hackers, viruses and worms (threats) that were easily exploiting the weaknesses in your network (vulnerabilities) and taking these servers offline (assets)? At that moment in time, productivity dropped, revenues couldn't be booked and the ROI for sales fell below 100%. In fact, if he booked only $100,000 the ROI is 0% and that makes your organization a nonprofit.

What could you have done to prevent the downtime and loss of business productivity? You could have invested in good network security. That's processes and equipment. People power, hardware, software and systems designed to improve your security posture and reduce risk. If you do this right, the amount you invest in network security has a rapid ROI.

It appears much harder to measure the ROI of network security because by not experiencing downtime, data loss and poor productivity, everyone from the board to the CFO thinks it's just the way business should run. They may not realize that in today's economy, with cybercriminals attacking your network daily; malicious insiders looking to take advantage of your internally open doors; and hackers, viruses and worms exploiting all of the Internet in growing numbers, not experiencing downtime is becoming out of the norm. The reality is that if you are doing a great job at bolstering your network security posture, you are giving the sales side of the house a chance to perform.

So, I'm sure we agree that there is absolutely a positive ROI for good network security. What is the end result of your actions by investing in network security, continually self-assessing risks to your organization, creating best-practices policies and working to maintain IT compliance? Ultimately, by investing up front, proactively, in best practices and the necessary tools for network security, you were able to ensure higher revenues and profitability. Doing it right means more uptime, more productivity and smoother sailing through each quarter. The ROI is real, your team and network security tools are not a cost center -- you are an integral part of the profit center -- the heart of the organization.

Gary S. Miliefsky is the Founder & CTO of NetClarity. He is a Certified Information Systems Security Professional (CISSP) and a founding member of the Department of Homeland Security (US DHS). He serves as an advisor to MITRE Corporation and is a member of the New England Information Security Group's Board of Directors (NEISG.org).

Rate this Tip To rate tips, you must be a member of SearchCIO.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.