Persuading management to invest in security can be tough because quantifying its return on investment is not easy. That being said, there are things companies can do that are inexpensive but pack a lot of bang for the security buck.
Dahl Gerberick of Deloitte & Touche LLP suggests that security professionals concentrate their spending on "low-hanging security fruit." In other words, go for the technologies and practices that provide the biggest improvements in security for the least amount of cash. During a session at CSI's recent Computer Security Conference and Exhibition in Chicago, he suggested a few factors one should consider when evaluating return on investment for security purchases.
Technologies and practices that require a low investment and provide a significant amount of extra security are no-brainers, Gerberick said. Creating and tweaking security policies, for example, is a relatively cheap option that can pay dividends. Unlike an esoteric device or appliance, policy is an issue that management can understand. Business continuity planning is another inexpensive investment that, in light of September 11, companies should consider.
Companies can also look at technologies that address other business needs, in addition to security, Gerberick said. For example, encryption is important to security but also improves privacy.
Security improvements don't necessarily have to come from a security vendor. Upgrading to Windows 2000 or installing a new ERP system that has better security features are ways that companies can be more secure without investing in security per se, Gerberick said.
For Steve Fling, who works for a large mutual fund company, "low-hanging fruit" means focusing on developer training and testing. He has allocated 40 hours per quarter at his firm for technical staff to perform "ethical hacking" sessions against all the company's applications. There is also money earmarked to train developers in secure coding practices.
Investing in the human element of security is a good practice in difficult economic times, said Stephen Crutchley, CSO of 4FrontSecurity Inc., an independent security consultancy. "We are not talking about big money here, but training will show employees that management is interested in protecting them. They in turn will care about protecting the company," he said.
Calculating the return on security awareness training isn't easy, Crutchley said. But one employee can let a virus into the corporate network that could cause a lot of damage. "Spending $10 to train that employee could have saved the company $1 million," he said.
Internal audits are another way to improve security that don't cost a lot, suggested Neil Jackson, a business manager with an online brokerage. "There is no need to have the Mercedes of security systems and not monitor and report how the employees and managers comply," he said.
Performing risk assessments is another low-cost way to improve security as they help companies "understand what they want to accomplish through security and then take steps to address their exposures," Jackson said. He suggests the IT risk-assessment program offered by the National Institute of Standards. "Free and comprehensive, once owners know their risks they can identify those items that require specific layers of security and possibly implement security more cost effectively," he said.