Many enterprise security-buying decisions are made by someone outside the IT department, like a chief financial officer. And their bottom-line interests do not necessarily match those of the techies'.
CFOs won't sign off on a purchase without a convincing business case from IT. A company's chief information officer (CIO) is the person most often pitching that case, and there's often a sizeable virtual wall CIOs need to scale to get their proposals approved, especially when the money folks start asking about return on investment (ROI).
A language barrier exists between the two factions, especially when a CIO tries to sell a CFO the virtual value of a security tool without demonstrating how it impacts the overall bottom line.
Boston-based analyst firm Aberdeen has teamed with Alinean, an Orlando-based developer of ROI tools, on a Security ROI Selling Toolkit that both organizations say can close the gap. The kit, available in September, combines Aberdeen research with Alinean software and methodologies to help not only internal IT quantify security purchase, but help security vendors do the same.
The toolkit does not make specific product recommendations, but instead offers four components that vendors or IT buyers can holster in quantifying ROI. The components include: a white paper that helps teach the buying criteria of security and how security purchases can be justified; a Windows-based sales tool that helps security vendors build their business case and includes the metrics for implementation, risk mitigation, total cost of ownership (TCO), ROI and more; an e-learning course that teaches vendors and IT how to demonstrate the value of IT security from a financial value perspective; and an ROI calculator that lays out the economic benefits of a particular purchase.
"What we see is a big disconnect between the CFO and the CIO," said Tom Pisello, Alinean's president and CEO. "CIOs make their case by preparing a diagram of how a particular purchase is going to fend off different issues. But they don't tie it to the impact it will make on the financial statement. It doesn't demonstrate, for example, how a security solution can reduce help desk costs and map those savings to overall savings in other areas."
Aberdeen vice president and managing director, information security practice, Jim Hurley said this partnership is a unique approach to solving this disconnect.
"As security becomes more important to companies in terms of the ability to show growth and profit, it becomes more important to look at ROI in the acquisition of security technology and its ongoing maintenance to make sure a company is spending prudently," Hurley said. "No one has measured ROI effectively yet. We don't focus on security, but we focus on business opportunities and the support processes the enable the business opportunities to result in revenue gain or the mission of a government agency, for example."
Hurley said a common misconception is that ROI can be demonstrated in terms of a simple payback scheme -- if a company buys Product A, how long before they get back the money spent.
"That approach works well, but it's meaningless to the CFO involved in security-buying decisions, because it has nothing to do with the language of finance," Hurley said. "CFOs want to see a return on capital or invested assets. The IT buyer needs help communicating with the CFO in a language the CFO will understand."
In terms of methodology, the Aberdeen/Alinean combination said it looks at metrics in terms of the effect in operational efficiency and revenue -- specifically, the impact security can have in mitigating threats against assets and the value of those assets to a company.
Pisello offered the example of a company liable to virus attacks. Using the toolkit, an enterprise IT shop could do a threat assessment to determine the probability of a virus attack and then look at the costs involved in mitigating that threat.
"We would demonstrate the costs associated with organizational downtime, the loss of revenue and the damage to a company's brand," Pisello said.
"We take ROI where it is defined as a simple payback and extend it to an adequate security analysis and tie it to a corporation's financials," Hurley said. "We are creating a new ROI model."