The Payoff: When Security Makes Business Sense, First and Foremost
ROI and quantitative analysis is useful, but prioritizing security projects and focusing on objectives is smart business.
August 1, 2005
Determining a return on investment isn't the only way to pitch a security project. Although it's true that hard metrics often trump passionate please (see "How To Pitch a Winning Project"), business drivers often trump numbers. Making good business decisions is the goal. Quantitative methods may provide useful input, but they're no substitute for careful reasoning about which security expenditures will help make your enterprise more successful overall.
Take the way one leading financial institution prioritizes its security spending. The company has a baseline of security spending that is nondiscretionary and necessary to satisfy the its regulatory and internal audit requirements. By consistently implementing these policies, the company ensures that no line of business becomes the weakest link that undermines the security of the entire enterprise.
ROI and other quantitative analysis may help provide a common framework with other technology investments, but you should prioritize and justify security spending by having a solid discussion of your application objectives and their exposures. Because so much of today's security budget is dedicated to mandatory items, only a fraction is left for discretionary projects. So you must have a healthy debate regarding how best to spend this money. Quantitative techniques play only a limited role in prioritizing these security projects.
Risk Is Relative
Risk-management philosophy pervades today's companies, and it's apparent on both the revenue- and cost-generating sides of the house. Using a risk-management approach, many companies, for instance, accept a priori that all its activities have risks. The challenge then becomes spending your resources to protect the business from likely security threats. This adds a third dimension to the classic cost-benefit analysis. Using the risk-management approach, you are assessing relative or proportional contribution, rather than absolute contribution, when comparing prospective projects.
Latest Issue of Secure Enterprise MagazineRead more >> |
You can apply this approach to just about any kind of company. Begin this analysis by categorizing your potential security projects according to their business impact. Here are the categories, in order of importance:
• Enablement: Your enterprise will earn the most return on its investment from security projects that serve as obvious enablers to lines of business. These are projects that generate incremental revenue and profit, such as a mutual authentication system that allows straight-through processing or automating back-office workflow.
• Protection of key assets: This is a set of investments necessary to protect your current revenue streams, such as improving the backup and off-site storage procedures for your credit card operation. Weigh projects in this category against the amount of revenue at risk.
• Opportunity: Opportunistic investments typically result in cost savings or process improvements, such as an integrated firewall-management system that improves control over rule changes and provides reporting features that reduce the cost and time spent auditing the firewalls. Any investments in corporate infrastructure that provide long-term payoffs fall into this category.• Nice To Have: Projects in this category have a low probability of getting funded. They make security and IT jobs easier, but are generally a very tough sell.
Exercise Your Options
It makes sense to apply quantitative methodology to your security projects only after you've carefully studied the business impact of these projects. For most organizations, prioritizing security spending is not about approving a single project. Rather, it's about constructing a portfolio of projects that fit within the budget. If time is tight, so do so only for the trickier decisions.
Say you are a financial institution with a discretionary security budget of $1.5 million (after funding your required security expenditures). Your have several worthwhile projects vying for funding, but they add up to $2.5 million--way over budget:
• Conduct a long-delayed assessment of the company's international, direct-inward dial telephone lines for security exposures and cost reduction. Cost: $300,000.• Develop a handheld security strategy to enable the safe deployment of a CRM (customer-relationship management) application for investment advisers. Cost: $100,000.
• Develop a security dashboard so senior management can understand the company's security status at any time (this may be helpful in Section 404 Sarbanes-Oxley compliance). Cost: $300,000.
• Review the company's most critical application service providers to ensure they are adequately safeguarding data and are not serving as an attack vector for competitors or hackers. Cost: $150,000.
• Analyze the security gaps of a recent acquisition before interconnecting with the acquired company's network. Such an analysis determines where the acquired company's security policies and practices differ from that of the parent company and might put the combined enterprise at risk. Cost: $125,000.• Assess how authentication methods vary across lines of business and touch points (live phone associate, voice response system, Web site and paper) with customers and business partners. This helps identify weak links and potentially consolidates authentication mechanisms and code. Cost: $500,000.
• Perform a site security assessment to determine the company's vulnerability to physical intrusions. Cost: $50,000.
• Identify and evaluate a replacement product for the company's Unix configuration-monitoring tool. Cost: $100,000.
• Design a comprehensive phishing awareness program to ensure that internal business units no longer request phishing-type identifying information over the Web channel. This includes a companion program to educate customers that such requests are fraudulent. Cost: $400,000.
• Test the company's standard server builds (Windows, Unix and Linux) to ensure the base platforms are appropriately hardened. Cost: $75,000.
Project Priority |
To begin your assessment, categorize the projects. Then prioritize them within each category (see "Project Priority,"left).
Here we are applying a subjective measure of each project's prospective benefits that takes into account both monetary and business impacts.
Then apply an "urgency filter"--some projects, such as integrating the infrastructure of a subsidiary, must be done right away, while
Project BudgetClick to Enlarge |
others can be deferred until next year with acceptable risk (see "Project Urgency," below ). Finally, calculate a trial balance to see if the high priority and urgent projects fit within the budget (see "Project Budget," right).
Project UrgencyClick to Enlarge |
Using your experience and the simplest of calculations, you have effectively allocated your discretionary security spending for the year.
Last Word
When you drive on a narrow, winding mountain road or along oceanside cliffs, a mistake in one direction is much costlier than the other: If you oversteer to the right, you will plunge to certain death, whereas if you oversteer to the left, you cross into the opposite lane. When you drive, you are constantly assessing the road conditions and how to navigate them.Although decisions about security projects don't involve such life-and-death drama, they can have serious consequences in your IT environment. The underlying principle that business context dwarfs all other factors is the same. Simple quantitative techniques only apply to the narrow band of projects that lie above the nondiscretionary security expenditures. You can ensure these discretionary security dollars are well spent if you categorize and prioritize projects based on how effectively they'll keep your business running safely. So think twice and calculate once.
Jonathan Gossels is president of SystemExperts Corp., an information security consultancy. Write to him at [email protected].
You May Also Like