Security solutions: Cost-justification guidelines
CIOs often have trouble justifying the value of security solutions to the business side. ROI expert Tom Pisello offers four tips for cost justifying IT investments.
In order to make sure security solutions are prioritized properly, especially in organizations that rank projects according to their value, it is important to calculate their savings and benefits and put them in perspective with other projects. It is also important that the organization not treat all projects the same, and have a separate category for classifying various investments so the unique nature of risks and rewards can be measured properly.
Here are some guidelines on how to cost justify new security solutions and investments:
IT TCO savings
Today, installed security systems and products cost the organization money in maintenance, administration and support. If the new security project can help reduce the total cost of ownership for security systems -- providing additional protection while reducing the cost to maintain, administer and support the solution -- the purchase may be justified.
Each time there is an incident, the team also has to mitigate the issue and perform forensics to be sure the risk is not realized again. Many newer security solutions aim to help IT respond faster, with fewer resources required to resolve issues, providing additional productivity enhancements and savings. The opportunity for TCO savings can be calculated by tallying current costs and determining potential savings:
(As Is) |
(To Be) |
software support and maintenance contracts. |
replaced by perhaps a lower support and maintenance agreement on a consolidated security system. |
hours per year spent on administration and support * burdened labor rate. |
|
realized security incidents * person hours per incident to respond and resolve / perform forensics * burdened labor rate |
incidents can be reduced, person hours reduced per incident, or skill level of person required lowered -- all to deliver labor savings and productivity improvements. |
Compliance management savings
Today, organizations have to develop compliance plans and policies, maintain adherence to policies, document compliance and issues, and respond to audit requests. These tasks consume valuable labor and service fees. With a new security solution, compliance management is often made easier, leading to task savings by the compliance management staff.
(As Is) |
(To Be) |
|
|
User productivity improvements
Sometimes security solutions can be intrusive, requiring users to lose precious time performing tasks to adhere to policies, to be granted access and to deal with issues like delayed access and lost productivity while waiting for a password reset. A security solution that can provide protection but is more seamless can help reduce the impact on users and regain some productivity loss. This is a soft benefit however, where all of the time savings will not translate directly into bottom-line company benefit, so the savings should be risk adjusted, scaled down from 10-30% of the proposed savings.
(As Is) |
(To Be) |
per year wasted on security-related access or support issues * burdened labor rate for users. |
|
Risk avoidance
Security solutions are implemented to protect a company's information and systems from attack and theft. It is a proactive investment -- an insurance policy to protect against a risk. Quantifying the risks and damage that can be caused is difficult but not impossible, and should be done to justify the security expenditure. If there were past incidents and issues, quantifying the likelihood of an issue and costs is easier.
For example, if the organization was already hit with a virus attack, quantify the number of infections, the costs to mitigate the issue (catalogued as a TCO savings above), the user productivity impact waiting for the issue to be resolved, any lost business while users and systems were down, and any incidental damage from the incident -- such as the impact on business from negative press or word of mouth.
If prior incidents have not occurred, quantification is harder and the team will need to rely on research to help predict how often an attack can be expected, success rates for such attacks based on the current security tools and practices, and the costs of such an attack. With the current cost of security breach metrics the team will need to estimate the risk reduction and resolution responsiveness improvements that can be realized with the proposed solution.
Here is a framework for performing risk avoidance current cost and benefit calculations:
(As Is) |
(To Be) |
|
|
|
|
|
|
About the author
Tom Pisello is CEO of Orlando-based Alinean Inc., an ROI consultancy helping CIOs, consultants and vendors assess and articulate the business value of IT investments. He can be reached at [email protected].