Security solutions: Cost-justification guidelines

IT TCO savings

Today, installed security systems and products cost the organization money in maintenance, administration and support. If the new security project can help reduce the total cost of ownership for security systems -- providing additional protection while reducing the cost to maintain, administer and support the solution -- the purchase may be justified.

Each time there is an incident, the team also has to mitigate the issue and perform forensics to be sure the risk is not realized again. Many newer security solutions aim to help IT respond faster, with fewer resources required to resolve issues, providing additional productivity enhancements and savings. The opportunity for TCO savings can be calculated by tallying current costs and determining potential savings:

Compliance management savings

Today, organizations have to develop compliance plans and policies, maintain adherence to policies, document compliance and issues, and respond to audit requests. These tasks consume valuable labor and service fees. With a new security solution, compliance management is often made easier, leading to task savings by the compliance management staff.

User productivity improvements

Sometimes security solutions can be intrusive, requiring users to lose precious time performing tasks to adhere to policies, to be granted access and to deal with issues like delayed access and lost productivity while waiting for a password reset. A security solution that can provide protection but is more seamless can help reduce the impact on users and regain some productivity loss. This is a soft benefit however, where all of the time savings will not translate directly into bottom-line company benefit, so the savings should be risk adjusted, scaled down from 10-30% of the proposed savings.

Risk avoidance

Security solutions are implemented to protect a company's information and systems from attack and theft. It is a proactive investment -- an insurance policy to protect against a risk. Quantifying the risks and damage that can be caused is difficult but not impossible, and should be done to justify the security expenditure. If there were past incidents and issues, quantifying the likelihood of an issue and costs is easier.

For example, if the organization was already hit with a virus attack, quantify the number of infections, the costs to mitigate the issue (catalogued as a TCO savings above), the user productivity impact waiting for the issue to be resolved, any lost business while users and systems were down, and any incidental damage from the incident -- such as the impact on business from negative press or word of mouth.

If prior incidents have not occurred, quantification is harder and the team will need to rely on research to help predict how often an attack can be expected, success rates for such attacks based on the current security tools and practices, and the costs of such an attack. With the current cost of security breach metrics the team will need to estimate the risk reduction and resolution responsiveness improvements that can be realized with the proposed solution.

Here is a framework for performing risk avoidance current cost and benefit calculations:

About the author
Tom Pisello is CEO of Orlando-based Alinean Inc., an ROI consultancy helping CIOs, consultants and vendors assess and articulate the business value of IT investments. He can be reached at tpisello@alinean.com.