Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Payoff: When Security Makes Business Sense, First and Foremost

Determining a return on investment isn't the only way to pitch a security project. Although it's true that hard metrics often trump passionate please (see "How To Pitch a Winning Project"), business drivers often trump numbers. Making good business decisions is the goal. Quantitative methods may provide useful input, but they're no substitute for careful reasoning about which security expenditures will help make your enterprise more successful overall.

Take the way one leading financial institution prioritizes its security spending. The company has a baseline of security spending that is nondiscretionary and necessary to satisfy the its regulatory and internal audit requirements. By consistently implementing these policies, the company ensures that no line of business becomes the weakest link that undermines the security of the entire enterprise.

ROI and other quantitative analysis may help provide a common framework with other technology investments, but you should prioritize and justify security spending by having a solid discussion of your application objectives and their exposures. Because so much of today's security budget is dedicated to mandatory items, only a fraction is left for discretionary projects. So you must have a healthy debate regarding how best to spend this money. Quantitative techniques play only a limited role in prioritizing these security projects.

Risk Is Relative

Risk-management philosophy pervades today's companies, and it's apparent on both the revenue- and cost-generating sides of the house. Using a risk-management approach, many companies, for instance, accept a priori that all its activities have risks. The challenge then becomes spending your resources to protect the business from likely security threats. This adds a third dimension to the classic cost-benefit analysis. Using the risk-management approach, you are assessing relative or proportional contribution, rather than absolute contribution, when comparing prospective projects.

  • 1