The Dollars And Cents Of Security

Make the case for increased security investments with facts, figures, and sound economics--a language that business execs understand. (Originally published in Optimize)

October 1, 2002

12 Min Read
Network Computing logo

Security budgets are too low — that's for certain. While companies spent roughly $300 billion worldwide on Y2K remediation, only a fraction of that amount is being spent on security. Analysts at IDC estimate that worldwide spending on corporate digital security this year is less than $25 billion, including costs associated with people, products, and services.

When considering the comparison, it's also worth noting that the Y2K issue focused on a fairly specific set of threats within a finite period of time. Nevertheless, companies established cross-functional task forces, reallocated budgets, and as a result, most survived Y2K with reputations and systems largely intact. By contrast, in spite of the increased awareness of security issues after Sept. 11, 2001, business and financial managers still don't fully appreciate the business value of a sound digital-security strategy. Unlike Y2K, security threats are neither predictable nor finite. Their impact can range from terribly inconvenient to horribly catastrophic. When a security breach occurs, a company's liability, privacy, reputation, and ability to survive are compromised. And companies tend to assign responsibility for security to the IT department, even though risk is distributed throughout the business units. (See related article on an integrated enterprise approach on p. 38).

Why is so little invested in the protection of hard-won customers, valued employees, and critical assets?

For one thing, security-budget decisions are complex. To justify a long-term and appropriate level of investment in security, members of the security community — consultants, influencers, integrators, and vendors — have to do two things: communicate better with corporate executives, and establish a credible economic basis for security investments. Top management understood the dangers of Y2K disruptions to their business; they have to feel the same way about ongoing security risks.

Unless business managers change their thinking about security, the budget will continue to be inadequate. To begin the conversation about how security helps reduce risk and actually supports financial goals, technical and business management must first speak the same language. The technical team has to become fluent in the language of business, able to converse about assessing corporate risk as it pertains to digital security.Recently, the CFO of a Wall Street bank asked the chief security officer for a revenue-driven model to justify the security budget. In other words, he was looking for the return. To date, the only CSOs who have done this in a way that would lead to appropriate financial support have pointed to costs associated with network downtime resulting from denial-of-service attacks, or security breaches resulting in the erasure of backup tapes or the disabling of production servers. In reality, these events certainly have a negative impact on earnings, but they don't drive revenue.Executives understand costs of goods sold, earnings, operating costs, profit-and-loss statements, and revenue. They don't necessarily understand triple DES encryption, strong authentication, or white-box applications analysis. If digital security isn't communicated well to the average executive, how can he or she be expected to budget and measure it?

By establishing a new model for earnings growth through secure operations, the security community helps the business side appreciate the value of the technology, and deployment can move ahead.

While some financial managers understand that server downtime costs money, very few understand that the inability to securely transmit sensitive competitive, financial, and personal data costs businesses far more in lost revenue and top-line growth because it can lead to uncertainty on the part of the buying public.

The security industry has been driven by a "penetrate and patch" mentality. Security managers hire consultants to perform penetration tests on networks or applications, which invariably reveal a gaping hole in the infrastructure. These sound alarms in the security department, which searches for a quick fix to the problem. As a result, the security department is in perpetual reactive mode. Since the annual budgeting process can't realistically forecast this type of reactive operation, senior executives are frustrated that the security department is always looking for more money.

Furthermore, the penetrate-and-patch mode makes security appear tactical; executives typically ask: "Has anything happened to us lately?" But the point has to be made that penetration tests don't secure the enterprise nor do they provide an accurate view of the digital risk to a corporation. Yet, this is where the majority of outside consulting dollars are spent.

To avoid the vicious cycle and wasteful spending, companies should skip the penetration-test exercise and just assume that hackers can get in. By acknowledging that critical business data and systems are easily compromised, security and business managers can move on to thinking of security as a strategic tool, not a reactive line item. At this stage, discussions can and should include devil's-advocate arguments: Some systems might not need to be secured. Some aspects of a business' digital assets, such as certain Web sites not connected to the corporate network, would cost more to secure than to clean up after an attack.

Digital security is not a 100% game. The opportunity cost has to be considered. Will securing your Web portal cost more than the revenue-generation associated with it?

The most challenging question for a security officer is this: "How much will it cost us to secure this thing?" CSOs are left with only three answers:

a) I don't know.b) $4 trillion.

c) We can't afford to secure ourselves completely, but we can probably manage our risk to a reasonable level for double what we've got budgeted.

Answer C is a step in the right direction. It used to be relatively easy to understand and protect digital information. Networks had distinct perimeters and could be walled off to defend against undesirable outsiders. With collaboration and hosted services today, however, it's nearly impossible to determine where your network ends and an outside network begins. In fact, current networks are specifically designed to let people in, rather than keep them out. Defending against the unwanted intruder is a very difficult proposition.

Supply chain initiatives and those supporting mobile business often have a huge impact on security that's rarely considered. New technologies, such as Web services, and protocols, such as Simple Object Access Protocol (SOAP), for example, are designed to allow data to pass through firewalls, presenting new threats to the enterprise. While these technologies can ease electronic communication and commerce with the outside world, they can also put your company at risk.

The erosion of the corporate perimeter is closely coupled with the rise of the federated application—an application that may reside on a third-party server, be accessed over an outsourced storage-area network, and viewed by a multimedia handheld mobile appliance—in short, a security nightmare. Applications such as wireless sales-force automation and corporate VPNs proliferate quickly and often without consideration for the difficult security challenges that accompany their deployment.Clearly, security threats evolve right alongside technology. While the chief security officer is charged with tracking these technology developments, he or she must also stay in lock step with evolving business priorities. To demonstrate how specific security investments correspond to business goals, we offer a visual map to help identify the best routes to achieve them.

Our Security Blueprint is a graphical representation of more than 40 key security considerations. The elements will vary based on the industry in which the company in question competes, but the theme is the same: Most security budgets address only a fraction of the business requirements.

To the technically oriented security professional, the blueprint is overly simplistic and not an accurate engineering representation of the interdependencies among different functions. To the business executive, it has a lot of technology components and much of the language is unfamiliar. In fact, the Security Blueprint attempts to represent a middle ground between the security community, whose goal is to illustrate the enormity of the challenge, and the business community, which needs to understand where the money is going.

The illustration can be used to measure how well the current security investment supports business objectives. By writing down the current investment levels associated with each component, the security manager can create a quick, visual gap analysis that shows what is—and isn't—being addressed by current security investments. That may be more meaningful to the nonsecurity manager than an itemized list of the costs associated with firewalls, intrusion detection systems, and VPN products.

The financial-services industry is typically on the leading edge of IT adoption because it's in the business of analyzing risk. It also understands how digital-security risks map to real dollars.Recently, I placed the Security Blueprint in front of a financial-services executive who wrote three numbers in three separate cells. By seeing in an instant where the majority of his security investments were going, this executive became unpleasantly aware that there were 38 other cells he hadn't considered in his budgeting process.Defining the return on technology investments has always been a particular sticking point for security initiatives because the conversation usually seems to delve into soft claims and intangibles. (For a discussion of the risks and rewards of emerging technologies see Optimize, March, p. 72,

Chief security officers need hard numbers during the budgeting process. Security analytics can explain the underlying economic-value proposition of security investments (see sidebar, p. 32. Also go to and And using the blueprint as a starting point, executives can define the security metrics relevant to business goals.

There's no universal set of metrics, but the following list and the metrics in the sidebar provide a small sample of items that could be measured. These include:

  • Potential and actual intrusions detected at the network and application level.

  • Virus incidents—raw numbers and impacted data.

  • Authentication and authorization time—how long it takes to authorize a user and then grant access.

  • Security-patch application rates—how many, how often, by whom?

  • Cycle time for forensics response—how fast to respond and recover; type of damage done.

    Security analytics provide a dashboard for measuring the leading indicators of a company's security-related activities. They also offer the foundation for the economic model in which financials are factored into the equation.Once benchmarking is complete, managers should begin putting plans in place to address the high-priority items and quantify the investment and expected return. It's important to measure the actual recognized return to establish a pattern of credibility.

    Starting with the highest-priority items, managers should implement the high-impact/low-cost actions first. This may sound intuitive, but a considerable number of companies undertake outlandishly expensive security initiatives, such as retina scanning or PKI implementations, where the return is marginal.Next, management should undertake the low-impact/low-cost items, such as application security and incident-readiness training, clearing the way for more strategic investments. The high-impact/high-cost investments will usually be made over a number of years and in concert with other departments. In fact, most high-impact security investments will be in areas such as software development or IT administration, not areas commonly thought of as security cornerstones.

    Last, management should be willing to bear the risk where there's a high cost and low impact, unless of course, money is no object.

    With proper communication and corporate financial projections in place, security talk and money talk will finally mesh.

    Christopher Darby serves as chairman and CEO of @stake Inc., an international digital security consulting company.

    Security BlueprintWith corporate budgets under incredible pressure these days, no one can really afford to be 100% secure—nor should this be a goal.Security investment is like a portfolio: It has to be built, managed, and rebalanced over time. It's important not to lose sight of the fact that companies can afford to bear some risk. As with a portfolio, it's worth taking a risk on occasion if the investor is comfortable that most other bases are covered.

    To get the biggest return on security investment, companies should prioritize business initiatives and then benchmark where they are today on the security concerns that are most relevant to those priorities. How does application X compare with application Y?

    A wise man once said, "It is not important that you are the fastest antelope when the lion chases, but it is very important that you are not the slowest."

    Here are two approaches for creating a defensible economic model for return on security investment (ROSI):

  • Quantifying risk: If I make investment $X, I can reduce my risk by level Y and save $Z. For example, if I undertake a regular security audit of all software procured by my company (investment X), I will decrease my security-patch application rate and the associated cost of downtime and resources (level Y), and end up saving the company $Z. Assuming Z>X, the investment is financially beneficial to the company.

  • Net present value: If I make investment $X, what impact will that have on my annualized cash flow, including less-auditable functions such as opportunity cost and cost avoidance? In the insurance industry, where great effort is spent on annuity schedules, this is known as annualized loss expectancy.

Quantified risk is an easier approach for most companies, and it can be undertaken in smaller steps over a number of budgeting periods.Developing a comprehensive security strategy requires financial planning and discussions about ROI with business leaders. The Security Blueprint can help identify enterprise needs and so will the following steps:

Frst month: Perform reconnaissance
To prepare a comprehensive security plan, first ensure a thorough inventory of systems and services. Solicit business units to provide detailed specifications, and have IT validate that hardware-management systems are accurate.

Include information on platforms, operating systems, applications—both commercial and internally developed—and methods of communications. At the end of this process, the security group should have a complete picture of what needs to be secured, so it can begin to strategize and budget security spending and procedures.

Second month: Assess infrastructure and practices via gap analysis
Conduct interviews with administration groups to develop a picture of current security policies andprocedures. Don't assume that practices on paper reflect practices in reality.

Organize meetings with network-engineering teams to understand data flow and existing security enhancements, such as firewalls, intrusion-detection systems, and proxy servers. After meeting with operations departments from all IT groups, the security team should draw a theoretical circle around the company and quickly identify all lines of communication that lead in and out of the business. Once the perimeter is defined, adequate security mechanisms can be evaluated and deployed to protect the infrastructure. As always, industry best practices should be used as a comparison for developing a formal gap analysis.Third month: Implementation and maintenance
Now that the environment has been accurately defined and gaps identified, develop a program to add security solutions where needed throughout the infrastructure.

Since most security solutions become an exercise of point-in-time evaluation and remediation—a kind of snapshot of existing conditions—a maintenance program must be developed to ensure that new implementations don't increase the overall risk to the company. Effective and comprehensive security programs will monitor emerging threats and anticipate vulnerabilities that are unknown at present.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights