What's the best way to determine the return on security investment in our company? Getting a bigger security budget is difficult without being able to bring solid numbers to the board.
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Return on security investment is a misnomer. There typically is not a direct financial return from investing in new security personnel, equipment or services. However, that doesn't mean that information security has no value. To an astute executive, an investment in information security more resembles a type of insurance: Like a traditional security policy, an information security program can lessen the effects of a worst-case scenario, but unlike insurance, infosec -- in the form of security technology, secure processes, and security training -- can also reduce the likelihood that a worst-case scenario will happen in the first place. This invalidates the idea of measuring ROI on security investments as it requires the event to occur in order to create value. This gets into calculating statistics on probabilities and starts to sound much more like insurance than investing.
This insight can be useful if you apply it in the same way as you would an insurance policy. It is critical to understand the information assets in your environment and their value to the company. You would never pay more for insurance than what the item being protected is actually worth. On the other hand, you would never leave a valuable asset unprotected (or uninsured) if it were at risk. This is true for executives as well, as they divide the company's scarce financial resources between investing in revenue generating activities and protecting existing assets.
The security team needs to understand and demonstrate the value of protecting that asset for each budgeted line item request. For example, the company may rely on a credit card authorization service that would affect the business at a rate of $1,000 per minute. There will also be the financial effect of any fines and legal costs at the average rate of $250 per user-account breached. The value of the asset to the organization is calculated as the lost revenue from the system being unavailable, plus the expenses of any serious breach. This adds up to $2,530,000 for a 30-minute outage with 10,000 accounts affected. Armed with this information, the security team will find selling to the executive team a $1,500,000 implementation to prevent this event from occurring much easier. They may have a tough time selling a $5,000,000 project to the executive team given the same information.
This is a simplistic example, but executives are more likely to respond to the possibility of revenue loss than just a potential expense. They will also appreciate that the information security department understands the business and is working to protect revenue, and not just proposing esoteric technology.
This was first published in June 2013