Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, June 23, 2008

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security’s value to your company.  Here are pros and cons of four: TCO, ROI, EVA and ALE.

How do you justify spending on something that isn’t designed to increase the bottom line?  The fear factor exists, and yet explaining why bulletproof glass is worth more than Plexiglas still requires numbers.  With a recession hovering over the United States like some black helicopter, there will be still more pressure to measure what security spending brings to a company.

One big challenge is that the data rarely is simple to pull together.  And even though there are now tools like Agiliance, which makes an ROI calculator for information security expenditures, the devil is still in the data.

Here are four well-known metrics and measurement components that, if used properly, can help put the impact of security spending in the financial perspective companies need.

ROI (Return on Investment) It’s a classic business expectation that if you invest money in something, you can measure the return on your investment by its impact on the bottom line.  But understanding the value of security spending presents challenges, since the tension that exists in most branches of IT is that investment does not usually lead directly to profits.  For security spending, the problem is bigger: If investing in security works, nothing happens.

But what if nothing would have happened anyway?

“[The trouble with] trying to calculate ROI on security tools is that they destroy the proof of their effectiveness simply by doing their job,” says Ross Leo, CEO of Alliance Group Research, a security consultancy.  So ROI has become a somewhat loose measure of how long it will take to recoup the cost of investing in security.  It is not a perfect measure, which may be why its usage appears to be dropping.

Some 42 percent of organizations polled in the 2007 Computer Security Institute Computer Crime and Security Survey said they used ROI to measure their information security investments.  That was up from 39 percent the year before, but well below the 55 percent who reported using it in 2004.

Other common measures: 21 percent of respondents said they used internal rate of return measures, and 19 percent used net present value.  ROI can be straightforward for some aspects of physical security.  Craig Chambers, CEO of Cernium, which makes software that analyzes videotape, says at a minimum, his firm’s tools mean companies can hire fewer security guards, creating obvious savings on salary and benefits.  But it’s rarely so straightforward to calculate savings.  Some of the problems with using ROI: Strict adherence to ROI may cause companies to pick the wrong technology to save money.  For instance, a firm might find that inexpensive surveillance cameras are not as effective as ones that include built-in analytical tools, but a strict focus on ROI will seem to show a better payback for an inferior product, says Steve Hunt, a security consultant in Evanston, Ill.  “ROI is misleading because people don’t understand what they’re trying to accomplish…Look at the benefit you want first, then the ROI,” Hunt says.  He doesn’t think ROI numbers work well in security, and he tends to counter with a discussion of their likely losses if they don’t invest in security services.  Even though he prefers measuring losses, he concedes that unless a firm has recently experienced a breach of some sort, measuring costs becomes an exercise in “throwing darts at a dartboard.”

Otherwise, it’s tough to quantify the potential around losses, says Anthony Hernandez, managing director of the information risk management practice at Smart business advisory and consulting in Devon, Pa.  He notes, for instance, that it was difficult to say what companies would get in return for spending on HIPAA compliance.  In the case of PCI, he’s seeing companies receive fines of $25,000 a month.  It’s also possible to measure what breaches will cost, thanks in part to incidents like those at TJX, which paid $100 million in fines and another $156 million to resolve lawsuits.  It would be harder to say whether TJX suffered any intangible costs, like loss of goodwill (sales actually rose in the wake of the breaches).

Note that there’s also another measure, ROSI (return on security investment), which works by taking the expected security spending and subtracting any expected annual loss (see ALE, Page 39).

TCO (Total Cost of Ownership) An alternative to ROI is to figure the total cost of ownership (TCO) for a security investment.  While the purchase cost or ongoing contract costs will be clear, figuring out less-obvious spending is harder.  For Tyminski, TCO helped him justify buying a new intrusion prevention system.  Bell will measure the time system administrators need to spend with the product, how much time it will take to install or migrate to a software package, what the product itself costs (both up front and for maintenance or support) and how much time its help desk will spend doing hand-holding.  Marc Shapiro, senior vice president of Group 4 Securicor, the parent company of Wackenhut, says the firm is seeing more CSOs look for metrics, primarily TCO.  Ideally, he likes to contrast those with the potential losses, but even in the physical security world, annualized loss estimates “are difficult to get,” he says.

EVA (Economic Value Added) The best-known version of EVA was developed and trademarked by Stern Stewart and offers a way to measure financial performance for business units.  To use an EVA in a practical way, one should take numbers used to generate things like total cost of ownership, ROI and the annualized loss expectancy, and compare them to actual costs, looking at factors like what it would cost to implement and support them.

Posted on 06/23