Identifying the security ROI

(1707 total words in this text)
(1028 Reads)  

Having a corporate security strategy generally isn't seen as something that can improve your productivity, increase customer responsiveness or top up your revenues. Historically, it has been something you needed to avoid disastrous consequences.

And while a security strategy is necessary for everyone, the methods used will differ from company to company.

With corporate budgets under pressure, every expenditure needs to be justified. Security remains a problem as it is generally viewed as a cost, rather than a revenue generator.

Jason Holloway, UK country manager at mobile security company F-Secure, suggested that, as security tools have become more of a commodity, selling the technical benefits to buyers is no longer the prime concern. Instead, financial implications are at the top of the project sponsor's agenda.

Return on investment (ROI) has become a critical consideration over features, and there are a number of elements to consider when measuring your ROI for a particular security tool.

Stuart Okin, chief security officer at Microsoft UK, said that, while you can derive financial benefits from using a virtual private network (VPN), or a technology that makes it easier to install security patches, some benefits will only become apparent when someone tries to hack into your system.

Tom Scholtz, vice president at analyst Meta Group, argued for an approach that balances financial gain against benefits which cannot be quantified.

Documenting all of these is necessary if the benefits are to be made clear after implementation. But many companies forget this final, critical stage.

When assessing the measurable financial benefits of implementing a security tool, Scholtz breaks it down still further.

"ROI can be measured by cost savings, and most studies will focus on this. But it can also help to generate more revenues if used intelligently," he explained.

Changes in the political and economic climate have had a major effect on the type of investment made. Before the economic downturn and 11 September, companies were investing heavily in single sign-on and web access control products.

These allowed customers to access websites more dynamically, potentially leading to more revenue. Now technologies that focus on risk reduction, such as encryption, are getting more attention.

Cost-saving and justification

It's easy to see the savings associated with some tools. For example, the cost of using a VPN, with a broadband internet connection, can be mapped against the cost of a leased line.

The revenue-generating potential of security tools is harder to quantify, but it is there. Remote authentication servers, for example, may make your staff more mobile, which increases customer responsiveness, and could boost revenues.

However, Scholtz warned against making broad assumptions that cannot always be followed up with hard figures or money.

It is also important to realise that tools can have a number of different benefits. The single sign-on tools in which e-commerce firms were investing before the downturn are a good example.

Scholtz's clients tell him that up to 30 per cent of phone calls are from people who have forgotten their passwords. Using single sign-on can reduce that number and cut costs.

On the other hand, implementing single sign-on causes its own security problems. If someone lets their password slip, the whole application infrastructure becomes vulnerable.

It also requires an investment in integrating legacy applications. The more you examine the argument for security tools, the less clear cut it becomes.

Measuring the cost savings you can achieve by implementing a specific security tool is top of the agenda for many vendors.

Phil Robins, channel and partnership director for the UK and Ireland at security software vendor Symantec, explained that resellers will often fill out a questionnaire with customers, which is fed into an internal tool to produce a likely ROI figure.

Tim Robinson, senior vice president for secure operations at security consultancy Thales, pointed out that many of the cost savings in an ROI analysis will depend on the peculiarities of your vertical market.

"For example, look at transport smartcards," he said. "One clear quantifiable cost saving is an increase in the number of passengers you are able to process per hour using new technologies.".

The intangible benefits Scholtz mentioned include improving the confidentiality and availability of information.

Investing in strong authentication or encryption can protect against future threats but, because those threats aren't known, the financial benefits are difficult to quantify.

Nevertheless, tightening your controls minimises the risk and might improve your regulatory compliance, which could also be seen as a benefit.

The risks of security precautions

While risk reduction can be difficult to quantify, organisations are working hard to try to measure it, helping to boost the case for specific security tools.

The Information Security Forum, a non-profit association, has developed the Fundamental Information Risk Management (Firm) methodology, which collects facts about the level of risk posed by each IT resource within a company or department.

Simon Oxley, managing director of Citicus, has created a server-based software tool, called Citicus One, to produce a quantitative risk analysis for companies to help them build the business case for specific security investment.

The Firm methodology assumes that each resource has an owner, either a technician or a business manager. The owner must fill out a two-page scorecard measuring five elements of risk. The results are collated by a programme director, typically the information security manager.

The programme director uses the analysis to assess the risk for each resource, along with ideas for action plans. The process feeds upwards to senior management, providing them with an overview of the organisation.

The five elements of risk examined by the security scorecard are:

Criticality The vulnerability of various elements in your resource
Any special circumstances affecting your resource, such as the maturity or complexity of technology
The level of threat
The potential business impact of a breach or denial of service.
The level of threat examines the history of security breaches relating to the resource in question, on the basis that the probability of suffering a major incident increases with the number of historical minor incidents.

The 'business impact risk' category uses an incident-reporting mechanism that measures the cost of previous incidents.

Mapping the scorecard to a particular application results in a chart, which provides a visual record of the current level of risk in each of the five areas.

A particularly valuable part of the process relies on input from risk management professionals in the customer company, who produce an acceptable threshold of risk for each computing resource.

At this point, senior management must weigh up the cost of moving a level of risk within an application from an 'unacceptable' area.

Some of these steps could be procedural, according to Oxley; you may find that a particular resource does not have an owner, for example, and that appointing one could reduce the risk considerably.

Even after all this measurement and analysis, it can still be difficult to find a business case for some security products.

Scholtz argued that many projects involving authentication, for example, have failed because companies couldn't find a true business justification to deploy them across the enterprise.

"It may be overkill for what they need," he said. "Public key infrastructure deployment of strong authentication should be linked to specific business benefits, which are usually linked to specific business applications."

For example, he believes that Identrus, a consortium which attempted to co-opt the global banking community into a wide-ranging digital certificate initiative for customers, was too broad in scope.

Nevertheless, some applications using digital certificates, such as smartcards, can deliver a clear ROI, according to Robinson.

He implemented a smartcard system at Thales that consolidated employee ID badges and building access badges.

It also provides access to corporate applications via laptop PCs. Integrating them all into a single card makes it much easier to revert or change authority.

Badge maintenance becomes easier thanks to a single card management system. "It's 20 per cent cheaper to have an integrated system than two separate systems, and 20 per cent is a compelling argument even without the soft benefits," he said.

It is possible to make a solid business case for investing in particular security tools, but the stronger the case, the more work will be involved.

The methodologies and frameworks for cost savings and risk reduction analyses are there, but the trick is finding the time to use them.

Adequate levels of security

One of the most persuasive drivers for business security may not be financial gains at all.

Companies may be forced to implement adequate levels of security or face penalties, thanks to guidance on internal control released in 1999 in the form of the Turnbull report.

Released by the Institute of Chartered Accountants in England and Wales, the report laid down guidelines for the implementation and maintenance of internal controls.

It suggested that an internal control system should be embedded in a company's operations, and not be treated as a separate exercise, and that it should also be able to respond to changing risks, both within and outside the company.

But Oxley argued that companies still have a long way to go before company bosses understand the issues.

"If you go in and ask any senior management what the risk status is of their IT systems, they don't have a clue," he said.

Managing security resources

Just as outsourcing is said to provide cost benefits in other areas of computing, managed security services are being proposed as a way for companies to save money and ensure that systems are watertight.

A report published last year by Datamonitor highlighted some key costs of managing security resources in-house, including recruitment of skilled staff, and training costs.

It suggested that companies need to employ more security staff than are required at any one time to ensure that networks are covered on a 24/7 basis.

European companies are not monitoring their networks on this basis, according to reports. While 83 per cent of travel companies monitor their networks in Europe all day, the figure drops to 76 per cent for financial services companies, and 63 per cent for IT and telcos.

Bottom of the list are retail companies. Only 48 per cent monitored their networks for breaches on a 24/7 basis in 2001.

Companies such as IT consultancy MIS Corporate Solutions offer managed security services which can, they claim, drastically reduce costs for customers.

Matt Tomlinson, business development director at MIS, indicated that some of his larger customers would have to employ three or four people at £30,000 each to manage their internal security resources such as firewalls, whereas he can manage them remotely for 10 to 15 per cent of the cost.