IT Security and ROI
by Joe Greene

A recent increase in media coverage of security breaches, incidents of information theft and corporate scandals has raised awareness about the importance of IT security. The attention has also elevated both the profile and importance of corporate governance and accountability in Canadian organizations.

IT departments are now expected to provide evolving solutions that deliver secure technology environments for employees, partners and clients by protecting information assets Ð complex networks and a wider variety of access points Ð from more sophisticated attacks, self-replicating viruses and tactics that aim to manipulate people into disclosing crucial authentication information. While maintaining effective IT security solutions can save money, justifying the continuing investment to non-technical decision makers can be a challenge.

Security webcasts, tools and tips  Corporate Compliance Resources  Microsoft-based technologies & govt compliance  TechNet Security Blog  Microsoft Security Newsletter  TechNet Canada IT Pro community & blogs

In most organizations, information security affects a variety of stakeholders who have varying technology needs, problems and vocabularies. So in presenting the business case for increased spending, IT security managers must be able to articulate how financial gains balance against less quantifiable benefits such as the exact impact of a security solution. They must be able to demonstrate the effectiveness of the existing and/or planned security, using numbers that show how and where it benefits the organization.

The goal is to create a common understanding among an organizationÕs decision makers of the risks to the business and how investments in IT security can help mitigate those risks. IT managers should demonstrate the business benefits to the organization, both through cost savings and productivity gains from decreased systems maintenance, down time and the protection of critical information assets. Creating that understanding across the organization will go a long way toward obtaining necessary corporate support and funding.

However, recent IDC Canada data indicate that many organizations are not tracking or communicating the value of IT investments. Only 32% of the organizations surveyed were using a formal analysis such as return on investment or payback period analysis on their IT investments; the figure was much lower for IT security. Still, the need to make the case for IT security has arguably never been greater. To keep pace with regulatory requirements and privacy concerns, IT departments have been charged with protecting the integrity of corporate systems where customer data Ð proprietary, financial and personal information Ð live.

Historically, IT security has been viewed as an operational cost centre, functioning in the background as a protective layer for corporate systems and data. When properly implemented, a sound security strategy not only improves system availability and productivity, it can increase customer confidence. In these scenarios, the problem for IT security is that often it is not clearly seen contributing to the bottom line the way that direct revenue generators such as improved sales and inventory tracking systems do.

For people trying to explain the need for it, IT security solutions may be victims of their success. These solutions are preventive measures that may be largely transparent to end users, but protect the IT infrastructure and information assets from unauthorized access while still allowing employees and customers access to the information they need. Security appliances or software running on servers usually block the majority of viruses and unauthorized activity before they reach end users. That's why proposals must be made to the right people, using the right tools.

There are many tools to use, including a growing number of ROI calculation tools and risk assessment templates. The tools vary widely in complexity and delivery capabilities. IT managers must select tools that fit the information needs of their organization based on a number of factors that can include size, sector, information security and regulatory requirements. Tools must be able to capture and deliver the information that meets the expectations of senior decision makers. For short-term consistency, methodologies should be the same or similar to those already in use for calculating risk, value and ROI for other IT projects.

Selecting the right tools will assist organizations in providing cost/benefit analysis, which could be the difference between a successful security proposal and one that fails. An effective analysis shows comparable metrics that prove the cost of a new security plan doesnÕt exceed the benefit.

The tool most often used today to justify the need for IT security is risk assessment. Business process analysis, penetration testing, vulnerability scanning and policies/procedures auditing are all common data sources that feed into IT risk assessment reports. A key factor in realizing value from IT security solutions is ensuring that they are protecting the right resources.

Before an organization can attempt to attach value to a security solution, it should conduct a collaborative risk analysis involving stakeholders from all business units and covering all aspects of the business. The stakeholders should meet to understand their business priorities and determine the IT security implications for their operations and business objectives. They must be able to determine the costs associated with their operations by attaching projected values to primary systems and data if compromised. How much would it cost a sales department to re-create its leads from scratch? What would the fines and/or other negative fallout be if clientsÕ personal information were stolen and then sold or published on the Web? In the event of systems down time, how many dollars would the business area lose per minute in revenue, idle workers and missed opportunities?

ItÕs imperative that decision makers understand the factors that affect the success of IT security programs, weigh the right information on choosing investments and find evidence of value that can be quantified with certainty. They protect the organizationÕs financial and business position, so those with poor data take more risk in the already risky undertaking of managing a business for company and shareholder benefit.

Start with an audit of the potential threats to the organization matched against current capabilities of stopping threats. It should include physical, legislative, policies, procedures and education and training, and should involve all stakeholders. Although time-consuming, it will at least show the organizationÕs vulnerability. Once the audit is complete, do a risk assessment. Where is your organization most vulnerable from a physical and legislative perspective? From here, an IT security plan can be established showing the costs of the products and services required against the potential losses if the plan is not implemented. These potential losses should include not only the costs of the IT staff's time spent on fighting viruses, eliminating spam and spyware, patching servers and resolving passwords issues, but also the time non-IT staff spend dealing with many of the same issues. Be sure to include the potential losses from bad publicity and non-compliance. A good IT security plan buttressed by the appropriate investment can significantly improve the chance that a business can operate effectively and productively in a network environment fraught with dangers. IT managers must make the case, and decision makers must listen and act.

This article was written by Joe Greene, who is in charge of IDC Canada's Security Research practice, working with his counterparts worldwide and with Canadian analysts in other disciplines to provide information and communications technology suppliers with insight into the Canadian market for security products and services. Launched in 2005, IDC Canada's Security Markets and Strategies program addresses one of the most rapidly growing segments of the ICT market Ð a result of its growing importance to Canadian businesses in all industries. Mr. Greene also develops and sustains relationships with IT associations across Canada, helping them provide their members with affordable access to IDC market research and go-to-market services. As a result of this initiative, dozens of Canadian-headquartered companies have been able to better define their business strategies and position their capabilities and potential to prospective investors, partners and customers.