Demonstrate ROI from your IT security investment
The New Zealand Computer Crime and Security Survey 2010 shows that almost two-thirds of businesses spend less than 5% of their total IT expenditure on security, even though the average small scale virus infection, compromised system or lost asset costs companies around $15,000 per incident.Businesses work on the principle of demonstrating good returns on smart investments. So why don’t they invest in protecting themselves from these obvious costs?The primary reason that Return on Investment (ROI) measurements are hard to apply to IT security spending is that there is no easy way to identify the optimal point of expenditure. Spending too much yields no extra return in terms of security, while spending too little is also a waste of money because it doesn’t provide any protection.Another problem is that, particularly with things such as network monitoring, there are no hard assets or data to measure ROI against. If you spend $200,000 on parameter security for your organisation, and your network security team claims it "blocked 3.5 million hack attempts” in the last financial year, do these numbers have any significance? Of the 3.5 million "hack attempts” how many were simple port scans or non-threats? What proportion of these "attacks” may have been prevented by simple common sense?The answers can be hard to find. Even many network security engineers will respond to such questions with a friendly shrug. One solution to the ROI quandary is to consider security spending as insurance for the next financial year rather than the previous financial year.Like calculating insurance for your organisation, IT security can then be measured in terms of risk reduction. How much would a security incident cost your business today? How much in six month’s time? What will be the impact to the organisation if your systems are partially or completely compromised? If you have never had a serious compromise or incident to base these calculations on, how can you work out the estimated loss relating to an event? In modelling simple scenarios (such as a compromise of your organisation’s email systems), you should take the following factors into account:
- Financial loss - raw cash that could be dropped from the bottom line as the result of an incident.
- Reputational damage and subsequent loss of sales – this may not be immediately obvious at the time of an incident, but may be long lasting.
- Impacts on productivity – incidents require significant time and effort to manage and resolve.
- Damage to data – what if your data is unrecoverable or requires significant time and resources to verify its integrity?
- System recovery and rebuild resourcing – bear in mind that lack of documentation and complexity of environments can often lead to unexpectedly long recovery times.
- Staff health – security incidents can be very stressful events and are often detrimental to staff health.
- Loss of leadership confidence – boards and shareholders will (appropriately) start questioning leadership within organisations if IT security is shown to be insufficient.
- The cost of additional expertise – a significant amount of contractor time is often required to assist in resolving issues resulting from an incident.