By Ruby Bayan
Fear, uncertainty, and doubt (FUD)—used to suffice in justifying budgets for deploying the latest security gizmos, bells, and whistles. But in today's strictly cost-effective business environment, where financial officers have a higher tolerance for scare tactics, IT security pros must come up with more tangible reasons to defend their budget requests.
Will a return on security investment (ROSI) calculation be tangible enough? The security experts we interviewed said that the return-on-investment approach, although a bold display of business savvy, doesn't always sufficiently address all the factors integral to determining the value of security solutions. They said that IT pros caught up in soliciting security funding should forget the FUD excuse and venture beyond the ROSI formula. Here are their suggestions.
Maintain credibility by citing business benefits
"FUD does not work, and there is not a straightforward ROSI 'formula' that applies," said Paul E. Proctor, CISSP, vice president of Security & Risk Strategies at META Group, Inc. He said that the formula has failed because security doesn't fit the way businesspeople think of return on investment. He added that experience has demonstrated little success when using a model fundamentally geared to show financial gain—vs. investment—with security, which does not usually have financial gain.
"Most organizations interpret ROI as a financial indicator, and while most security projects have positive financial consequences, this is very hard to predict accurately in advance," Proctor said. The result is limited usefulness and credibility in a traditional ROI calculation. This mismatch can lead to significant lost credibility between the security people and the business unit owners they serve. In the worst case, this can negatively impact future budget requests, he said.
Proctor said that their clients have had success using real, measurable benefits to prove value. Most ROSI calculations are not real or measurable, which is why they lack credibility. "A real measurable benefit does not have to be a financial gain," Proctor said. "It can be lowered staff, improved efficiency, or reduced risk, but it must be measurable. Measurable is the key because measurable is credible."
Gather the metrics to support the benefits
Proctor listed these specific examples of how IT support pros can gather metrics on quantifiable benefits to the business:
- Cite business impacts of laws and regulations. For example, the new California privacy notification law (SB 1386) requires companies to notify California residents of breaches to their personal data. Failure to do so exposes the company to unlimited civil liability. Several security projects can be justified from a business perspective behind this law.
- Collect metrics such as the number of external access attempts, accesses of personal data, unauthorized attempts rejected by various security technologies, etc. This data can be used to demonstrate ROI against a real business need with quantifiable numbers.
- Show the number of hours spent on analyzing raw output from IDS sensors and the increase in efficiency and lower hours if the data is centralized and normalized.
- Count the number of unpatched systems and show how a patch management service or product will improve IT's ability to execute on SLAs to the business units.
"Look for measurable benefits to security," Proctor advised. "ROSI, FUD, and risk assessments are largely conceptual in nature. Look for measurable differences like 20 percent of our TCP/IP traffic is nonbusiness-related HTTP traffic (we need a Web filter); we had over 4,000 access attempts to closed ports on the firewall last month (hackers are scanning us actively); or we had 300 password resets this month, which is a 15 percent increase over the previous month (we should automate password resets)."
The point is that measurable elements have more credibility even if they aren't as glamorous as "protecting company assets from evil hackers," Proctor said.
Tweak ROSI calculations to factor in relevant considerations
John Morrison, managing director of Sapphire Technologies Ltd., pointed to a key shortcoming with the ROSI approach. "Simple quantitative figures are very difficult to provide because the [standard ROSI] formula does not include a factor for threats/vulnerabilities/risks, which determine how valuable your assets are and what costs you will bear to protect them." What is known is that it is three times cheaper to employ these solutions than to suffer the cost of security breaches, he said.
Morrison said that although a lot of work goes into devising relevant ROSI calculations, the most important factor should be a good understanding of how vulnerable your business is. "Organizations need to undertake incident reporting and response on a continual basis to arrive at the true cost of insecurity, which they can then equate to the costs of security solutions," Morrison said. To calculate costs of insecurity, he suggested using simple measures. For example, by multiplying the average cost of employees by the cost of each incident expressed in hours of disruption—both by the incident itself and the restoration time—you arrive at a figure, which, when totaled for all incidents, can work out to some 5 percent of turnover.
Francis Pineda, head of Security Consulting Practice at I-Sentry Solutions Inc., said the part of the ROSI formula that calls for quantifying the cost to recover from intrusions is always the toughest to present. IT pros can plug in whatever value makes sense, "but the biggest impact is on the company's image or reputation, which is basically hard to quantify," he said.
"For some companies, losing account information or even the whole client database is not as costly as the indirect losses." Indirect losses will be nebulous, but nevertheless fundamental, Pineda added.
Carolyn Meinel, author of Uberhacker and president of Happy Hacker, Inc., raised another factor to consider in filling out the ROSI formula: perception. "How do you know when someone stole your cost proposal or customer contact database? The most expensive security failures may never be known. Security of any sort is not a 'line' function for which the bean counters can figure out a generic ROI," she said. That may be why some CIOs push for penetration testing—so that the CFO can see just how exposed the organization is.
Gather input from managers, resource owners, and business units
One strategy that will give IT pros an edge in justifying security funding is to find out how decision makers prioritize the corporate budget. How does the CFO portion the pie?
Proctor advised IT pros to know their business well and to be privy to what corporate incentives get funding and why. Meinel suggested some basic legwork. "Start by doing homework on how other overhead functions in your organization get their budgets—no point in reinventing the wheel. That means networking with human resources, physical security, janitorial, public relations, etc. They all share your problem of competing for funding with the line functions, typically production and sales."
Meinel also recommended networking with production and sales to show them the effect that computer security has on them. In any healthy company, they are the political powerhouses. Sales might become your best ally, as being featured in the news for a computer break-in is a sure way to hurt customer relations, she said.
Pineda advised involving management in the justification process. Stir security awareness among managers of business units, human resource, operations, audit, and other departments. Make all the resource owners deliberate on how security breaches and solutions could affect them, he said.
Morrison reinforced the "get everyone on board" strategy by looking at the issue as more than simply a technical problem. He suggested ways to engage heads and managers in the business costs of insecurity:
- Invest in information security training to ensure that all levels, from board members and business managers to technical staff and business users, understand their roles and responsibilities. Organizations constantly suffer from mistakes or accidents, which are more common than actual hacking activity.
- Educate executive officers and senior managers to view information security as an investment rather than as a cost or overhead. Effective security helps ensure reliable and trustworthy systems, which stakeholders, customers, and the general public depend on.
- Impress upon decision makers that the true cost of insecurity includes the impact of reputation damage, which is far greater than actual costs.
Morrison stressed that information security is more than just technology. "People and processes are equally important, and all three aspects need to be factored into the equation."
Measure of success
"Meta Group research indicates that successful justifications are based on a balanced set of quantifiable returns, risk reductions, and expected improvements from a business perspective," Proctor said. More important, security people should capture actual benefits and value from existing projects on an ongoing basis. This will help build real credibility with the business decision makers to smooth the approval process for new projects, he added.
Proctor also offered an encouraging prediction. "The process of justifying security projects is maturing and we believe will be influenced by the maturity of risk assessment processes and improved executive understanding of the role that information security plays in business thinking. Bottom line is, in the future, successful security people will understand the business better, and business people will better understand the fundamental ROI of security."