Tip

Security solutions: Cost-justification guidelines

In order to make sure security solutions are prioritized properly, especially in organizations that rank projects according to their value, it is important to calculate their savings and benefits and put them in perspective with other projects. It is also important that the organization not treat all projects the same, and have a separate category for classifying various investments so the unique nature of risks and rewards can be measured properly.

Here are some guidelines on how to cost justify new security solutions and investments:

IT

    Requires Free Membership to View

TCO savings

Today, installed security systems and products cost the organization money in maintenance, administration and support. If the new security project can help reduce the total cost of ownership for security systems -- providing additional protection while reducing the cost to maintain, administer and support the solution -- the purchase may be justified.

Each time there is an incident, the team also has to mitigate the issue and perform forensics to be sure the risk is not realized again. Many newer security solutions aim to help IT respond faster, with fewer resources required to resolve issues, providing additional productivity enhancements and savings. The opportunity for TCO savings can be calculated by tallying current costs and determining potential savings:

Current security situation
(As Is)
Proposed security solution
(To Be)
Annual hardware and
software support and maintenance contracts.
These costs can be avoided,
replaced by perhaps a lower support and maintenance agreement on a consolidated security system.
Current security person
hours per year spent on administration and support * burdened labor rate.
The productivity of staff to administer, support and maintain security solutions can be reduced.
Current number of
realized security incidents * person hours per incident to respond and resolve / perform forensics * burdened labor rate
The number of realized
incidents can be reduced,
person hours reduced per
incident, or skill level
of person required lowered --
all to deliver labor
savings and productivity
improvements.

Compliance management savings

Today, organizations have to develop compliance plans and policies, maintain adherence to policies, document compliance and issues, and respond to audit requests. These tasks consume valuable labor and service fees. With a new security solution, compliance management is often made easier, leading to task savings by the compliance management staff.

Current security situation
(As Is)
Proposed security solution
(To Be)
Current security compliance management person hours per year spent on administration and support * burdened labor rate.
Reduction in person hours required, or lowering the skill level of person required to perform task.

User productivity improvements

Sometimes security solutions can be intrusive, requiring users to lose precious time performing tasks to adhere to policies, to be granted access and to deal with issues like delayed access and lost productivity while waiting for a password reset. A security solution that can provide protection but is more seamless can help reduce the impact on users and regain some productivity loss. This is a soft benefit however, where all of the time savings will not translate directly into bottom-line company benefit, so the savings should be risk adjusted, scaled down from 10-30% of the proposed savings.

Current security situation
(As Is)
Proposed security solution
(To Be)
Current user person hours
per year wasted on security-related access or support issues * burdened labor rate for users.
Reduction in number of issues users experience and person hours wasted.

Risk avoidance

Security solutions are implemented to protect a company's information and systems from attack and theft. It is a proactive investment -- an insurance policy to protect against a risk. Quantifying the risks and damage that can be caused is difficult but not impossible, and should be done to justify the security expenditure. If there were past incidents and issues, quantifying the likelihood of an issue and costs is easier.

For example, if the organization was already hit with a virus attack, quantify the number of infections, the costs to mitigate the issue (catalogued as a TCO savings above), the user productivity impact waiting for the issue to be resolved, any lost business while users and systems were down, and any incidental damage from the incident -- such as the impact on business from negative press or word of mouth.

If prior incidents have not occurred, quantification is harder and the team will need to rely on research to help predict how often an attack can be expected, success rates for such attacks based on the current security tools and practices, and the costs of such an attack. With the current cost of security breach metrics the team will need to estimate the risk reduction and resolution responsiveness improvements that can be realized with the proposed solution.

Here is a framework for performing risk avoidance current cost and benefit calculations:

Current security situation
(As Is)
Proposed security solution
(To Be)
Expected number of incidents over next 12 months * duration to resolve incident * percentage of users effected * burdened labor rate for users.
Reduction in number and scope of issues, as well as time spent responding to and resolving the problems.
Expected number of incidents over next 12 months * duration to resolve incident * transactions lost per hour of downtime * profit margin of transactions.
Reduction in number and scope of issues, as well as time spent responding to and resolving the problems.
Expected number of incidents over next 12 months * incidental damage costs per event.
Reduction in number and scope of issues.

Tom Pisello is CEO of Orlando-based Alinean Inc., an ROI consultancy helping CIOs, consultants and vendors assess and articulate the business value of IT investments. He can be reached at tpisello@alinean.com.

This was first published in July 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.