CIOs looking at an information security proposal need to be armed with not only data on the cost of the project, but also the cost of not doing it. Experts in information security metrics and ROI planning say the science of security ROI has come a long way in the past few years.
Experts acknowledge that three or four years ago, using information security metrics amounted to security managers telling CIOs and CFOs "trust us, we need it."
"The security expert would come in with a stack of security incidents and try to justify a request based on fear. 'If we don't invest in this today, we will get hit with this new security threat and our networking is going to go down,'" said Tom Pisello, CEO of Alinean Inc., an ROI tools provider in Orlando, Fla.
Today, experts encourage security managers to use information security metrics and provide -- and CIOs to insist on -- estimates for factors such as the cost of downtime based on employee costs and lost sales, frequency of security incidents, benefits from automating manual security tasks and potential damage to a corporate brand. That data will help senior management determine where the value may lie in a proposed security expense. However, experts estimate that only 10% to 15% of companies do this type of information security metrics analysis.
"Let's say we're talking about vulnerabilities or spam; convert those operational metrics into business impacts," said Khalid Kark, senior analyst at Forrester Research Inc. in Cambridge, Mass. Kark said if a company can show that a filter, for example, stops eight pieces of spam per user, saving each user eight minutes that they would have spent dealing with that spam, the company can show what the filter saves in lost employee productivity.
That type of data will get the business side of the company to buy into a security initiative easier than raw numbers about the frequency of attacks and incidents, according to Kark. "It's important to pull together some sort of business impact. You have to have a business-centric report if it is going to business management," he said. One key element of communications with the business side and senior management is aligning information security strategies with the business goals, factoring in the amount of risk the organization is willing to take, Kark added.
One development in the past few years has been the availability of hard numbers to delineate what a company has to risk from a serious information security incident. "Now there are enough cases to look at … you can see the financial cost of computer crime hacking cases," said Gary S. Miliefsky, chief technology officer at security vendor NetClarity in Bedford, Mass. Miliefsky points to the Department of Justice listing of computer crime prosecutions and the dollar damages to victim companies as one reference source for security ROI calculations.
CIOs and security managers should factor in the average cost of salary and overhead for an employee and the waste when that employee isn't productive for a day or a week. He recommends that managers conduct quarterly reviews of the number of employees, the computing assets in the company and the organization's security costs. The security team should deliver that report to the chief financial officer. "Then, if you are asking for $3,000 to put a branch office behind a firewall, you can show what it costs if the 10 people in that branch are taken offline," Miliefsky said.
Pisello notes that one challenge in determining the cost of security ROI is identifying where security money is being spent in a distributed environment. While one or two security managers may set policies -- and be easy to account for within the security group's budget -- there may be hundreds of system administrators outside the security team who are spending a portion of their workweek carrying out those policies. That scenario may require an activity-based analysis for multiple departments, he noted.
James M. Connolly is a freelance writer based out of Norwood, Mass. He can be reached at firstname.lastname@example.org.
This was first published in April 2006