How do you accurately calculate the return on investment (ROI) on network security?
The quick answer is you don’t.
That, at least, is the view of Llewellyn Derry, senior director of security solutions at NEC Unified Solution Inc. a Texas-based provider of voice, data and video products and services.
Speaking at the IT 360 Conference and Expo in Toronto earlier this week, Derry was skeptical about attempts to calculate the ROI on network security investments.
He likened it to trying to predict the payback on a fire extinguisher for your home.
“Unless you actually have a fire, it’s impossible to determine, with any certainly, if your investment on the fire extinguisher will mitigate the effects of a fire in your home.”
Derry’s session was titled: How to Calculate the ROI on Network Security… and other myths and folk tales.
Network security managers face the same “fire extinguisher” puzzle when attempting to justify purchases before chief financial officers (CFOs) and chief executive officers (CEOs).
And yet network security investments are absolutely essential for the continued operation of any organization, Derry said.
He said when discussing the need for security programs or purchases with customers or executives, network managers need to focus on these points:
Network security is not a product
Network security is not a single object it is just one component of a whole system. You can’t pin an ROI on network security.
Point solutions will only resolve point problems
If you purchase a certain product designed for a specific purpose, it will deal only with that purpose. A security patch will only address that vulnerability it was created for.
Security is a state of being
Security is a constant process. Security needs to be continually assessed, monitored and improved because threats are constantly evolving.
Avoid reactionary spending
Following trends is not always a wise move.
Everything starts with a definition of good a bad behaviour
Users have to be informed about what are acceptable and unacceptable uses of company assets and activities on the company network.
“Threats against the network are always present and attempts to hack in are happening 24/7, 365 days of the year.”
But trying to calculate the ROI on a network security investment is just the wrong way to go about getting a go signal from the boss, he said.
A principal consultant for an IT consultancy firm agrees.
“There really is no ROI in network security,” said Allan Evans, principal consultant at MGCG Consulting Group Ltd., a Markham, Ont.-based consulting services firm.
But network managers need to be constantly mindful of security if they want to keep their jobs, he said.
Rather than trying to calculate ROI, they get people thinking about what might happen if certain security measures are not taken, Evans said.
A typical ROI calculation takes into account known variables such initial value and rate of growth to determine final value over a specific period of time.
Using the same formula for network security investments will not work because there are numerous unknown variables, Derry said.
In the case of a network breach questions to ask include: When did the breach occur? How confident are you of this date? When was the IT infrastructure set up and when was latest component installed? When was the last upgrade or update to the IT software and hardware done? When was the last security assessment completed? Where vulnerabilities rectified? When were controls put in place? Are controls installed to enforce the corporate security policy? What new attack vectors are present?
For example, Derry said his own company has numerous clients who wouldn’t even be certain when a security breach actually occurs, or who actually have access to the network.
There are just too many variables to come up with a credible ROI, said Derry.
“The fallacy of ROI on network security implies that a large investment up front will ensure lower cost later. But initial value, savings rate and final value are never defined or known,” he said.
Security managers must concentrate on the network’s vulnerabilities, the threats present and the risks of an attack to determine the best course of action.
For instance, he said, if threat is unlikely to occur and even if it did, wouldn’t have much of a negative impact on the business, it may be better to accept the situation.
Action must be taken to detect, and prevent threats very likely to occur with a medium to great impact on the business.
In the case of threats very likely to occur and that could have a high negative impact, businesses must act fast to avoid it.
Network managers, he said, should also know who to talk regarding network security, said Derry. “Know who you should talk to and what is important to them.”
The systems security manager is concerned about vulnerabilities and patches. The chief information security office worries about information confidentiality as well as data integrity and availability.
The chief risk officer (CRO) or chief information officer (CIO) is kept awake at night by issues such as: market shares, company and personal reputation, liability and efficiency.
The ultimate responsibility for security of company assets, Derry said, lies with the business owners.
The company owner is responsible for data that travels through the organizations network and the IT infrastructure it self.
“It’s the big boss that sets the security tone, not the IT department, the telecom department or the security and compliance department.”
Companies have two basic options for handling network security: to have an internal IT team manage security, or to co-source the responsibility with a company that specializes in the area.