The argument might be, "When did an alarm system or the lock on the front door return money back to us?" These are physical security measures that everyone has to take in order to keep intruders out or help keep honest people honest, and you could claim that doing so gives you a break on your insurance, right? But, really, where's the ROI?
Knowing that organizations spent more than $10 billion worldwide on network security equipment during the last few years, this argument that there is no ROI starts to sound like it has merit. In fact, even after spending all this money, many organizations experienced expensive downtime -- due to hackers, viruses, worms, spyware, spam and malicious insiders.
To explain why I think there is, in fact, ROI to be found in network security let me first give you a quick crash course on ROI. The way I calculate ROI is to determine the total cost or investment into something and then look for a return of at least double. In other words, if you invest $100,000 per year into a salesperson, if they don't generate at least $200,000 in net revenues then they did not return a +100% ROI. If they brought in $150k in net revenues then there is a positive ROI, but it's a +50%. If they generated $100,000 in revenues then you broke even on this investment in this salesperson and our ROI is 0%. I'm sure you would agree that a +100% ROI is better than 0%.
Now that we've completed the ROI crash course, I'm going to turn the tables and show you that there is indeed a positive ROI to network security. Before you can measure it to prove it to your CEO, CFO or the board, first you need to have my crash course on risk assessment and then we'll tie it all together.
My crash course on risk assessment is easy: R = T x V x A. That is, (R)isk is equal to the number of (T)hreats against your organization, multiplied by the number of (V)ulnerabilities you have and then by the number of (A)ssets. Threats, vulnerabilities and assets are all weighted by how serious the threats and vulnerabilities are, and how valuable the asset is.
Here is a for instance: What is the risk that your salesperson will not meet his quota of $200,000 per year if at the end of every quarter, the mail server goes offline and the network fax server won't send out quotes and invoices or accept inbound purchase orders because these servers were operating in a risky environment that was constantly hammered by hackers, viruses and worms (threats) that were easily exploiting the weaknesses in your network (vulnerabilities) and taking these servers offline (assets)? At that moment in time, productivity dropped, revenues couldn't be booked and the ROI for sales fell below 100%. In fact, if he booked only $100,000 the ROI is 0% and that makes your organization a nonprofit.
What could you have done to prevent the downtime and loss of business productivity? You could have invested in good network security. That's processes and equipment. People power, hardware, software and systems designed to improve your security posture and reduce risk. If you do this right, the amount you invest in network security has a rapid ROI.
It appears much harder to measure the ROI of network security because by not experiencing downtime, data loss and poor productivity, everyone from the board to the CFO thinks it's just the way business should run. They may not realize that in today's economy, with cybercriminals attacking your network daily; malicious insiders looking to take advantage of your internally open doors; and hackers, viruses and worms exploiting all of the Internet in growing numbers, not experiencing downtime is becoming out of the norm. The reality is that if you are doing a great job at bolstering your network security posture, you are giving the sales side of the house a chance to perform.
So, I'm sure we agree that there is absolutely a positive ROI for good network security. What is the end result of your actions by investing in network security, continually self-assessing risks to your organization, creating best-practices policies and working to maintain IT compliance? Ultimately, by investing up front, proactively, in best practices and the necessary tools for network security, you were able to ensure higher revenues and profitability. Doing it right means more uptime, more productivity and smoother sailing through each quarter. The ROI is real, your team and network security tools are not a cost center -- you are an integral part of the profit center -- the heart of the organization.
Gary S. Miliefsky is the Founder & CTO of NetClarity. He is a Certified Information Systems Security Professional (CISSP) and a founding member of the Department of Homeland Security (US DHS). He serves as an advisor to MITRE Corporation and is a member of the New England Information Security Group's Board of Directors (NEISG.org).
This was first published in March 2006