Security ROI: know what to measure.
There are formulas to assess the potential costs of security lapses, but the true risks, and therefore the greatest potential ROI on security investments, center around protecting your organization from losses related to three business factors--regulation, revenue and reputation.
Security policies and procedures must satisfy federal, state and local regulatory requirements that hold businesses accountable for secure systems. Among the most wide-ranging new laws: the Gramm Leach Bliley Act governs the privacy of information stored, used and transmitted by banks, brokerages, insurance companies and other financial institutions.
Another federal regulation, the Health Insurance Portability and Accountability Act, is intended to limit fraud and abuse involving private health records. It has significant implications for anyone who handles this information.
A third is 21 CFR Part 11, which refers to the Food and Drug Administration regulations governing electronic signatures and electronics records, and is a critical issue in the pharmarceutical industry.
Whether trying to protect from external or internal threats, auditable security systems must be put in place that specifically address the highest value--highest risk enterprise business assets. Quantify the risk by measuring financial assets against probability.
Related to both regulation and revenue, reputation is the hardest to quantify but potentially the most costly. How will the public react to the theft of your customer lists, identification numbers, patient information or other data? Bad publicity caused by a security breach can literally destroy a company. IT management needs to objectively assess and quantify the risk to the organization's reputation that would be caused by a security breach.
Defining security ROI is not an easy task, but every IT manager is responsible for making business management aware of the true business risk. If you are still building your IT security ROI case on only the cost of staff time and IT resources, you are missing the point. Security must be considered a business investment to protect company assets.
For more information from Getronics: www.rsleads.com/309cn-254
Bod Pacl is director of services marketing for Getronics, Billerica, Mass.
|Printer friendly Cite/link Email Feedback|
|Date:||Sep 1, 2003|
|Previous Article:||IPS, with IDS, is the best choice.|
|Next Article:||Buyers guide.|