How to justify expenditure to solve a problem you don't, or rarely have?A major challenge for any security team these days is to justify allocating IT budget to address a problem that rarely occurs. Generally, more tactical operational tasks take priority over security projects for this very reason. As we all know, a board take little notice of security until something goes wrong, when necessity forces it to the top of the agenda. Then, miraculously it becomes the absolute priority. The security manager is held responsible and the situation melts into a cycle of internal politics. To avoid such a scenario, forward thinking businesses should consider the wider risks and implications of a security incident. This article intends to help IT security managers build a stronger case for investment in security. Return on Security Investment (ROSI ROSI Return on Security Investment ROSI Repository of Student Information ROSI Rollergirls of Southern Indiana (Evansville, IN) ROSI Raytheon Optical Systems Incorporated ROSI Romanian Open Source and Free Software Initiative ) Determining the value of an investment in IT security infrastructure is not the same as determining traditional Return on Investment (ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). ). When evaluating security products it is important to consider the value of the assets they will protect, as well as the type and frequency of threat they will be expected to combat. This article asks the reader to look at security investments through a lens and to assess the full value of the assets to be protected. ROSI looks at the implied direct and indirect costs Indirect costs are costs that are not directly accountable to a particular function or product; these are fixed costs. Indirect costs include taxes, administration, personnel and security costs. See also
Understanding your direct costs: Direct Costs are those revenue streams that would be directly affected by some level of diminished or degraded service. In most commercial cases these are annual revenues derived from business units that are dependent upon the IP Infrastructure. Examples would include e-Commerce, Subscribers and Advertising. Additional direct costs might be the at-risk investment in CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. , ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. , Supply-Chain, e-Mail, IRC (Internet Relay Chat) Computer conferencing on the Internet. There are hundreds of IRC channels on numerous subjects that are hosted on IRC servers around the world. After joining a channel, your messages are broadcast to everyone listening to that channel. and VOIP (Voice Over IP) A digital telephone service that uses the public Internet as well as private backbones instead of the traditional telephone network. Many companies, including Vonage, 8x8 and AT&T (CallVantage), typically offer calling within the country for a among others. The litmus test litmus test n. A test for chemical acidity or basicity using litmus paper. when considering direct costs should be: Do they provide revenue to the enterprise? Do they act as a channel to the enterprise which, if disrupted, would have material impact? Such data may be taken directly from formal reports, internal memos or estimated as needed as needed prn. See prn order. . Understanding your indirect costs: Indirect costs are more subjective than those defined as direct costs, and in some cases, are much more severe. For example, a major event against a high-profile target may have a profound effect on the market capitalisation Noun 1. market capitalisation - an estimation of the value of a business that is obtained by multiplying the number of shares outstanding by the current price of a share market capitalization (share price) of a publicly traded company publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. , or it could cause brand damage through negative press announcements. More detrimental still might be the halo effect halo effect The beneficial effect of a physician or other health care provider on a Pt during a medical encounter, regardless of the therapy or procedure provided. See Hawthorne effect, Placebo effect, Physician invincibility syndrome. that an outage has on normal operating process within your enterprise. Another example would be to assume that an enterprise has a very sophisticated self-service knowledge base that is able to solve say 10% of all support queries without human intervention. If for some reason this service were offline, and by extension the web facing CRM forms that allow cases to be created, the call centre would become the next logical focal point focal point n. See focus. for customers with problems. In the best case, a virtually free customer-service transaction now costs perhaps several pounds; in the worst case the call center becomes overwhelmed handling these seemingly minor issues while more pressing matters are left unattended. Obviously, it is easy to see that these indirect consequences can be profound. In summary, when considering indirect costs it is important to reflect on the following: Has a past negative, or by contrast, positive experience been reflected in the market capitalisation of the enterprise? If so, what was the impact? Has brand damage led to customer attrition Customer attrition, also known as customer churn, customer turnover, or customer defection, is a business term used to describe loss of clients or customers. or additional cost? If so, how many customers has it affected and what was their value? If an application or IP dependent service was unavailable what would the impact be elsewhere within the organisation? By their very nature, indirect costs are difficult to calculate, but should never be underestimated. Consultation with some of the individual stakeholders may help you to arrive at reasonable and broadly accepted estimates. Understanding your downtime: This is a relatively easy piece of data to collect, but an important one indeed. In many cases, enterprise IT personnel will have this data or a close approximation readily available. As yourself one important question: If your IT staff weren't running around solving a security issue, what other productive tasks would they be doing and what value can we put on those tasks? Counter-measure cost: Again, this information should be readily available. In many cases the annual maintenance and support costs will need to be included, so that a fully weighted cost basis is created. Naturally, the following years will have profoundly lower costs and, therefore, much higher ROSI numbers. Summary and Conclusion Calculating risk and return on investment when considering security products can be a very difficult task. Unlike other IT and business investments where ROI is determined as a direct result of some action, usually security risks and counter-measures must be considered with the intention of avoiding possible, negative outcomes. By now you should have a good understanding on your potential exposure. As with any security project, it does require a willingness to take the initial step of quantifying your enterprise risk, and striving to understand the empirical costs. Engaging the principal stakeholders will be invaluable in creating consensus and buy-in as you complete this exercise, and it is wise to "sanity check" at regular intervals. Robin Hill, Webscreen Tech. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion