/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: Security should not be viewed just as a cost center against which return must be measured in day-to-day operations. In addition to being mission-critical for just about any organization today, an appropriate approach to security can have a benefit for the organization as a whole. The main metrics of adequate ROSI are based on higher productivity and the management of risk, including catastrophic business failure.
Security flaws designed into packaged software are common and extremely dangerous. These faults can be exploited to launch attacks against an organization that is otherwise extremely secure. Thus, without a proper understanding of the risks posed by off-the-shelf software packages, one could arguably claim that the return on all other investment in security at end-user organizations is greatly diminished.
Genuinely secure computing requires a holistic approach and is never complete - it demands constant attention and assessment. The good news is that, in addition to securing the organization against threats internal and external, security often presents ancillary benefits that increase the overall value returned on the investment.
The return on security investment will continue to be extremely difficult to quantify, but in the end the case for security is generally more compelling than the argument against it (i.e. staying in business versus going out of business).
An ROI estimation on security initiatives needs to consider both quantitative and qualitative factors. Quantitative ROI attempts to assign independent, objective numeric values to the potential investment return and the assessment of potential losses to be prevented.
Qualitative ROI, on the other hand, addresses more intangible values of data loss or an expected improvement in operating efficiencies.
In other words, network security should not be planned around providing a return on your investment in terms of a payback in the administration of the process. It should be planned around providing a level of comfort to senior management that intruders are being kept out of the network, errors and omissions are being kept to an acceptable level of risk, and security will act as an enabler for electronic business, not an inhibitor.
When all elements are measured, rated, and assigned values, the process is considered to be fully quantitative. However, it must be stressed that an accurate quantitative ROI is not possible because qualitative measures must be applied to the process of the ROI calculation. It should be clear that just because the numbers look hard on paper does not mean it is possible to forecast an ROI with any certainty.
As mentioned earlier, the imputed benefits of an IT security investment need to be taken into consideration when determining a return on security expenditures. These benefits include:
• Speed to market on all new business initiatives, since the networks do not need to be redesigned to allow for a secure offering.
• Project development time is reduced as security is already built into the network.
• Reduction in the time for project/system development in the error detection and correction process for those that relate to security. Network security is part of the core of the design.
• Regression testing required to ensure security standards are kept to a minimum whenever new application development is being completed would be minimal.
• New projects just require application level security to be the primary focus. Network security generally would not need to be considered for reconstruction with any of the new applications.
• New application initiatives generally can be treated as an add-on process to existing network architecture.
• E-comm initiatives are designed for maximum uptime, redundancy and along with being outsourced allows for flexibility.
• Audit standards are being met with regards to network security.
• Risk management can be more accurate in terms of the level of risk that is being realized and the actions required to mitigate the risks. This allows senior management to make a more factual decision on the actions that should be taken when deciding to either eliminate/reduce the risk versus accepting the risk.
Similarly, additional costs must also be considered when gauging the overall ROI on the security of the environment. These include:
• The initial setup and configuration of each of the platforms/appliances.
• Potential loss of the network during the initial setup and during ongoing maintenance.
• Obsolete or malfunctioning equipment replacement.
• Process re-engineering of certain functions within the company; creation of the new processes and related staff training.
• Audit assessments of the environment to ensure network is meeting the minimum security requirements.
The following ROI estimation model touches on the majority of the losses, costs to circumvent potential losses and the revenue potential that can be realized by implementing an improved hardened environment. Its intent is to provide a guideline on the areas that should be considered when calculating an ROI on a security investment. Each organization will differ according to its current environment of security tools and its reliance on the IT environment for doing business.