NEW YORK -- Demonstrating a return on investment on IT security in the enterprise is nigh impossible because there are no metrics that measure ROI unless a company is attacked or security is outsourced to a managed security service provider.
"There's no way to identify it. And the only ones who have to are those who make the purchases," said Par Lindstrom of Investor Growth Capital of New York and Sweden.
Lindstrom was among the group of IT professionals in attendance Wednesday at the Yankee Group's Securing the Enterprise conference. A panel of experts debated the issue of ROI and the fact that the panelists came to no telling conclusions is an indicator of how perplexing this proposition is.
ROI is generally thought of as a revenue enhancement or a cost savings. Security, meanwhile, is sold on fear. The panel was asked when that trend would shift toward selling the value of security?
"That's the holy grail to some extent. You have to get security to an executive in an enterprise where they're saying more than 'This is a black box and it cost me a lot of money,' " said panelist Robert Shaw, CEO and President of ArcSight. "You have to elevate security to a business process. Right now, there's a huge difference in knowledge in the guys at the top and the guys who do security."
Another panelist, Ken Ammon, CEO of NetSec, compared it to the chicken-and-egg challenge.
" Often, the only way to prove a security investment has paid off is by not being attacked," Ammon said. "A solid security policy is key to creating efficiency and preventing expenditures."
Security costs not only are found in expensive products, but in pricey staff. Giga Information Group recently released a report that said chief security officers in financial institutions currently command $400,000 salaries. That number drops in other sectors, but a CSO and staff is a massive expenditure for an enterprise. Outsourcing, the panel hinted, relieves that cost.
Patching software vulnerabilities alone can bring exorbitant price tags. There may be just one patch, but it has to be applied on every box in-house running the vulnerable software and that can ring up the man-hours and reduce ROI in an instant, the panel said.
"There are only a handful of vulnerabilities that are relevant to the enterprise," said Ammon. "The key is filtering those."
Adam Joseph, CEO of managed security services provider TruSecure, said that the first item an enterprise may consider outsourcing to help the ROI issue is the process of tracking down and filtering vulnerability information.
"Outsource that to an expert. Security personnel are difficult to find and retain," Joseph said, adding that most companies don't have the resources to recruit or pay trained security staff. He also suggests outsourcing the implementation of a security policy and the management of devices.