ROI: Positive Returns

Return on investment (ROI), from a business perspective, is elementary: You spend money with the expectation that you'll make back the same amount, plus some revenue gain. An e-commerce server that costs $20,000 and processes $100,000 in transactions will have a $80,000 ROI, or 400 percent.

Security is a cost center like human resources, the mailroom and facilities; it doesn't generate revenue. Even here, though, evaluating ROI is straightforward. You compare actual costs--both known spending and known incident costs--with projected costs, based on assumptions and expectations about what will change with the new product or service. The ROI is savings generated by efficiency. An automated patch management solution, for example, will reduce the time it takes to deploy patches compared to a manual process, resulting in a cost savings.

The same logic is applicable to most any security process: services vs. in-house operations, or help desk vs. manual password resets, IPS and incident reductions. If the savings is greater than the product's TCO, you have positive ROI.

Generally speaking, ROI is gained by increasing the productivity of your IT staff through automation and reducing recurring, predictable incident costs. Frequent incidents and their associated response costs are a factor in some security spending, such as antivirus and antispam, in which ROI is an evaluation of operating costs under different conditions, such as running a network with and without AV.

• Review these resources on security ROI.
• Learn best practices for achieving ROI for security spending.
• Learn strategies quantifying security risk.

About the author
Pete Lindstrom, CISSP, is research director at Spire Security and a contributing editor for our sister publication Information Security magazine.

Note: This article originally appeared on Information Security magazine.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Filtering log data: Looking for the needle in the haystack Guide to passing PCI's five toughest requirements Risk Management Metrics and Measuring Risk Security data lapses hamper researchers Next wave of security will be defined by metrics, analysts say Like MLB scouts, IT security pros are turning to metrics Interview: Financial Services CISO David Pollino Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Researcher Puts Quantitative Measurement on Information Security Threats Quiz: Developing a risk-based compliance program Sophisticated spam, employee errors continue unabated Why you shouldn't wager the house on risk management models RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.