When evaluating ROI, consider that quantifiable results often can't be demonstrated for security, as more than one company has learned.
Illustrating that is the story of "Papa Lopez." Founded nearly 30 years ago by an immigrant with little cash, the line of Mexican food products grew from a generations-old secret recipe for salsa.
Years later, his daughter, a Wharton business school graduate, assumed control of the successful company, whose products crowded grocery store shelves. A respected consultant, Maria excelled in one-to-one customer marketing strategies.
Maria's first step was meeting with the senior management team to announce some major changes; instead of marketing only to distributors and supermarkets, the company would target consumers directly. Papa Lopez acquired mailing lists to directly reach out to new prospective customers and soon had a large U.S. customer database.
The CIO proposed an IT budget for the next fiscal year, including investment proposals for customer relationship management (CRM), a
He easily completed a rigorous analysis for the CRM and network wireless communications proposals. However, security was almost impossible to define in ROI terms. As a consequence, Maria and the board authorized the CRM and network improvements, but not the security safeguards.
Maria began rewarding employees who came up with innovative ways to increase sales. One suggestion merged Papa Lopez's database with that of a pharmaceutical company when a medical study showed a strong corollary between people with digestive problems and consumers of spicy foods.
Then lightening struck.
Papa Lopez's database was hacked. All customer records, which included the names, addresses and credit card information, were compromised. The database also included the customer list from the retail pharmaceutical company's database.
The CIO explained to Maria that the company's outsourced CRM application resided on an extranet platform and provided numerous direct avenues to the database. To improve productivity, the sales force and business partners could use PDAs to quickly check customer profiles and specific market segments.
The absence of a contingency plan meant the hacking issues didn't go away; it was weeks before perimeter controls and an IDS could be put in place.
Later, Maria received a letter from India that informed her that the secret salsa recipe that had been in her family for more than 200 years was now in someone's hands in Hyderabad. The writer warned that unless she paid a significant ransom, the recipe would be handed over to a competitor.
Making matters worse, Maria received notice from the California Attorney General's office stating that Papa Lopez could be charged with criminal violations under SB 1386, which mandates that companies disclose security breaches that compromise certain personally identifiable information of California residents.
Customers of the pharmaceutical company began receiving e-mail messages from companies they never had a relationship with. Many suspected that their personal health data had been stolen and began to take legal action.
Maria's sales dropped 50%. The board blamed the decrease in revenues on negative publicity.
Developing a precise ROI for security is a challenge for IT departments because security affects many different business activities and areas of an organization. The challenge is to understand the interrelationships between a company's IT infrastructure and various business processes.
In this case, a company's CRM application created new security risks for Papa Lopez. The CIO wasn't able to provide the company's board of directors with the true costs of the security needed to protect the customer database or the opportunity costs that would result if a security breach occurred. As a result, the board didn't approve his budget request. If he'd been able to demonstrate the ROI, he would have been able to turn a security threat into an opportunity and demonstrate the value of a strong IT function to a company's success.
About the author
Larry Ponemon is chairman and founder of the Ponemon Institute, an organization focused on the development of privacy audits, privacy risk management and ethical information management.
This was first published in February 2004