Security ROI: 5 Practices Analyzed

Which security practices bring the best return on investment? Not all of the most popular practices are good for your company.

Larry Ponemon

June 18, 2013

5 Min Read
Network Computing logo

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

Traditionally, enterprise data security has relied on a "fortress defense" approach: keep all assets within a corporate castle and build towering walls to keep out the enemy. However, with an evolving threat landscape that includes targeted attacks, social engineering and spear phishing, the model leaves plenty of vulnerable attack points.

With increasing employee mobility, IT professionals are challenged to expand their security practices to "armor" employees individually in addition to the fortress. As a result, IT budgets are stretched thinner, resulting in the need to examine the return of investment of popular security practices. In the battle against data breaches, which practices - "fortress defense" or "armored defense" – provide the greatest ROI?

"Fortress Defense" Best Practices

1. Identity and access management (IAM). The drawbridge of the fortress defense is IAM: only those with preapproval can access the corporate castle and management decides where they can go once in. IAM provides a strong defense against data breaches, but requires a significant amount of time and effort to be deployed right. Furthermore, not all IAM solutions are created equally. A 2012 Forrester report found "that build-your own, COTS, and cloud IAM solutions provide triple-digit ROI percentages over manual IAM processes."

Employees must be thoroughly trained on policies and procedures for IAM to work. Feeling pressure to produce more outputs in less time, employees often find workarounds for accessing data. If implemented and maintained correctly, IAM can cut down on data breaches but if not, a weak ROI can be expected, leaving sensitive data at risk in the process.

ROI: 50/50 depending on if it is implemented and maintained correctly.

2. Accessing data in the cloud. Cloud-computing providers are typically viewed as a cost-effective way for companies to expand server capacities or increase capabilities without investing in a new infrastructure, personnel training or software. However, there are hidden costs to putting company data in the cloud.

First, businesses that use cloud-computing providers are captured by their rates, plans and capabilities, and fulfilling individual service needs adds up quickly. The cost of supporting a large number of remote devices, upgrading network bandwidths and dealing with unavoidable outages is high. The debate on export-control regulations in relation to the cloud is increasing and updating services to comply takes manpower and money to accomplish.

ROI: Low for large companies that require customization or regulation.

"Armored Defense" Best Practices

3. Anti-theft solutions on mobile devices. Anti-theft solutions on company-issued devices are relatively inexpensive and easy to employ within the employee base. Remote wiping of a lost or stolen device can prevent data theft while geo-locating tools aid in recovery efforts.

These tactics also can be used for BYOD, a trend that is here to stay. According to Gartner, by 2018, 70% of mobile professionals will conduct all their work on personal smart devices. Although some debate surrounds these solutions for personal devices, the chances of recovery are slim as evidenced in Symantec's Smartphone Honey Stick Project. This experiment involved leaving 50 smartphones in public places throughout five major cities to determine recovery rates and information on data accessed by the finders. The results were alarming: only half of the people who found one of the smartphones made any attempt to return it and 96% of the phones had data accessed by their finders.

ROI: Strong and easy to implement.

4. Upholding visual privacy. It is likely that confidential data will appear on an employee's laptop or smartphone screen near wandering eyes at some point, whether it be while checking emails in line at the coffee shop or finishing an important presentation on a flight. This issue of visual privacy -- the protection of sensitive information as it is displayed onscreen -- is emerging in information security but one that is easy to protect on individual devices with tools like a privacy filter.

The Ponemon Institute recently released the Visual Privacy Productivity Study, commissioned by 3M, and found a significantly positive ROI to protecting visual privacy. In the study, employees equipped with a privacy filter were twice as productive as those without a privacy filter because they didn't have to worry about data loss. For a company with 7,500 employees, lost productivity due to employee visual privacy concerns is potentially costing an organization more than $1 million annually. With the average privacy filter costing approximately $40, this investment is recouped in months.

ROI: Strong and crucial to employee productivity.

5. Self-encrypted drives (SEDs). With the encryption capabilities of SEDs invisible to the user, it cannot be turned off and an employee's workflow is uninterrupted. The end user doesn't take any steps to keep this security measure in place, removing the human error or shortcut factor. The 2011 Ponemon Institute study, Perceptions about Self-Encrypting Drives: A Study of IT Practitioners, found that 40% of professionals that report to CIOs or CISOs believe employees within their organizations routinely turned off their laptops' security even though 68% of the organizations involved had policies prohibiting this practice. Although SEDs have a higher price point than standard drives, they curb the loss of confidential information that may come as a result of lost or stolen laptops. Factoring in that a breach in this capacity is practically handing over confidential information to the enemy, SEDs are a worthy investment for any corporation.

ROI: Strong with little room for human error.

In summary, "fortress defense" security practices tend to be the most costly to implement and their ROI is contingent upon employee execution and maintenance, which can diminish the ROI. According to the 2013 Cost of Data Breach Study: Global Analysis, human error and system problems accounted for two-thirds of all data breaches in 2012. Taking an "armored defense" approach with solutions that limit the opportunity for human error tend to garner the greatest ROI and provide a strong first line of defense for the organization. It is important for IT professionals not to overlook low-tech solutions, such as privacy filters, SEDs and anti-theft solutions, in favor of complex systems to secure the fortress. A blended security approach combined with proper policies and employee educations ensures optimal security and ROI.

About the Author(s)

Larry Ponemon

Chairman & Founder, Ponemon Institute

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights