Fear, uncertainty, and doubt (FUD)—used to suffice in justifying budgets for
deploying the latest security gizmos, bells, and whistles. But in today's
strictly cost-effective business environment, where financial officers have a
higher tolerance for scare tactics, IT security pros must come up with more
tangible reasons to defend their budget requests.Will a return on security investment (ROSI) calculation be tangible enough? The security experts we interviewed said that the return-on-investment approach, although a bold display of business savvy, doesn't always sufficiently address all the factors integral to determining the value of security solutions. They said that IT pros caught up in soliciting security funding should forget the FUD excuse and venture beyond the ROSI formula. Here are their suggestions.
Maintain credibility by citing business benefits
"FUD does not work, and there is not a straightforward ROSI 'formula' that applies," said Paul E. Proctor, CISSP, vice president of Security & Risk Strategies at META Group, Inc. He said that the formula has failed because security doesn't fit the way businesspeople think of return on investment. He added that experience has demonstrated little success when using a model fundamentally geared to show financial gain—vs. investment—with security, which does not usually have financial gain.
"Most organizations interpret ROI as a financial indicator, and while most security projects have positive financial consequences, this is very hard to predict accurately in advance," Proctor said. The result is limited usefulness and credibility in a traditional ROI calculation. This mismatch can lead to significant lost credibility between the security people and the business unit owners they serve. In the worst case, this can negatively impact future budget requests, he said.
Proctor said that their clients have had success using real, measurable benefits to prove value. Most ROSI calculations are not real or measurable, which is why they lack credibility. "A real measurable benefit does not have to be a financial gain," Proctor said. "It can be lowered staff, improved efficiency, or reduced risk, but it must be measurable. Measurable is the key because measurable is credible."
Gather the metrics to support the benefits
Proctor listed these specific examples of how IT support pros can gather metrics on quantifiable benefits to the business:
- Cite business impacts of laws and regulations. For example, the new California privacy notification law (SB 1386) requires companies to notify California residents of breaches to their personal data. Failure to do so exposes the company to unlimited civil liability. Several security projects can be justified from a business perspective behind this law.
- Collect metrics such as the number of external access attempts, accesses of personal data, unauthorized attempts rejected by various security technologies, etc. This data can be used to demonstrate ROI against a real business need with quantifiable numbers.
- Show the number of hours spent on analyzing raw output from IDS sensors and the increase in efficiency and lower hours if the data is centralized and normalized.
- Count the number of unpatched systems and show how a patch management service or product will improve IT's ability to execute on SLAs to the business units.
"Look for measurable benefits to security," Proctor advised. "ROSI, FUD, and risk assessments are largely conceptual in nature. Look for measurable differences like 20 percent of our TCP/IP traffic is nonbusiness-related HTTP traffic (we need a Web filter); we had over 4,000 access attempts to closed ports on the firewall last month (hackers are scanning us actively); or we had 300 password resets this month, which is a 15 percent increase over the previous month (we should automate password resets)."
The point is that measurable elements have more credibility even if they aren't as glamorous as "protecting company assets from evil hackers," Proctor said.
Play video
There are currently no comments for this post.