CHICAGO -- Sandy Baker-Twaddle is the exception, rather than the rule in security when it comes to demonstrating a total cost of ownership or return on investment to the senior executive level.
Baker-Twaddle, enterprise project director for American Eagle Outfitters, said that security-related purchases have been simpler for her department after an audit pointed out deficiencies in her company's network and systems that forced decision-makers to elevate security as a priority.
What is common in her situation to the rest of the corporate world is that something bad had to happen for the people with the purse strings in an organization to take security officers like Baker-Twaddle seriously.
"That mindset has to change," she said during SearchSecurity's recent Security Decisions conference. American Eagle Outfitters' network hosts more than 10,000 users spread out over 700 stores on a wide area network (WAN). More than 100 servers are hosted at the company's headquarters in Pennsylvania. "It changed for us because auditors convinced our executives to change."
On a global level, however, Baker-Twaddle recognizes that attitude isn't widespread and that makes justifying security expenditures nigh impossible.
"ROI or TCO isn't easy because there are so many intangibles in security," she said. "You have to have something happen, or be persistent with executives to get through to them. There are too many intangibles to measure and there are few metrics to apply to make life easier."
Gartner's Roberta Witty introduced a TCO model to attendees struggling to scale the virtual Mt. Everest between IT and business decision-makers in the enterprise who fail to elevate and prioritize security on the corporate agenda.
Witty said the Gartner model helps manage current and future security spending, helps make key infrastructure and business decisions and helps enterprises gain a competitive e-business advantage.
"Companies have to take a holistic view of information security," the analyst said. Witty said today's "virtual" enterprise needs to concentrate on its core competencies and introduce service providers to deliver what in-house groups cannot. "Information security spending and decision making is moving to the business units, with day-to-day support moving back to the IT department or IT security group."
Witty also suggests establishing a chief information security officer (CISO or CSO) that is a peer to the chief executive officer (CEO) and chief information officer (CIO) and will deliver on an enterprise's information security program. That program includes policy management, security administration, engineering and incident response.
"The CISO has to talk up and educate the CEO," Witty said. "If the CISO is not on a par with the CEO and is buried in the technology group, the CISO will have no credibility, or the skill sets to carry on that conversation."
Witty also helped Security Decisions attendees identify metrics they could use in justifying expenditures. Some suggestions included the costs in cleaning up virus incidents, training and policy implementation costs and downtime costs.
"These are important to establish, because if you have a negative metric month-after-month, if it's a big number to management, you're showing you need more money for your budgets," Witty said.
Business-driven risk assessments are also a must, Witty said. She told attendees to look at the impact on revenue (how much money an enterprise would lose because of a security breach); look at legal or regulatory penalties if breached; damaged to an enterprise's reputation; and the loss of competitive advantage (do customers walk away because of a breach).
Security professionals need to rate each of those based on importance, and have a business manager answer those questions. Also, a corporate security policy must be translated to "business speak."
All facets of the TCO model help put security into a business perspective and allow enterprises to be more proactive in fending off threats introduced by a bevy of outsiders needing more and more network access to achieve day-to-day business goals.
"Our upper management waits until something happens to act," said Ryan Mire, network administrator for the Lafayette Consolidated Government, city government for Lafayette, La. "They are not proactive. The mindset of upper management has to change. Upper management may not be as technology savvy and don't see the advantage of IT security."