Then there is another way: proving security ROI. Of course, ROI is a valid financial tool. In the security industry, however, every vendor seems to have one, which is slightly different from other vendors’ and which ‘proves’ that buying that vendor’s product or service makes the best economic sense. For example, I’m sure we’ve all seen the statistics stating that having someone else to manage your company’s firewalls is a 400% ROI over one year, when compared to managing them in house.
Whenever we are confronted with such figures, there are several things we need to ask: How many firewalls do these figures refer to? How many different technologies? Were these devices located in one company office, or distributed on a country or continental level? What service levels do the costs refer to? How many clients participated in the survey, how many vendors?
Many ROI calculations adopt a simplistic and/or simplified view of the underlying costs. They also tend to disregard ‘communications’ costs, human and skills costs, dealing with process or operational exceptions, with network upgrades. One must always seek to understand the assumptions of any ROI model. As a final note, an IDC study in 2003 found that 83% of companies do not track ROI for their security investments. Things are likely to have changed, but caution and scrutiny should still be applied to ROI models.
Buy or Build and the Individual Perspective
From a client perspective, a lot of energy is usually spent debating whether security is best kept ‘in house’ and delivered by client’s own personnel (or built by internal efforts), or is it better to outsource or buy ‘off the shelf’. Because security is essentially a trust issue, the natural inclination is to keep it in house, shrouded in secrecy. We know that, from a technical perspective, ‘security through obscurity’ is not good practice. The encryption algorithms that become standards are subjected to scrutiny for years before being widely adopted.
From an economic perspective, there will be security tasks which are more efficiently carried out by an outsourcer (e.g. managing firewalls or IDS), and some which are more suited for in house delivery (e.g. fraud and incident investigations), if skills exist in-house. A good provider will remind the client that they always retain the full responsibility for their organization’s security posture, even if some security tasks have been ‘delegated’ to hands and brains outside the firm.
Economics also plays a part in everyday decisions taken by individuals (employees) when it comes to doing the “right security thing.” We must ask whether security is facilitating or hindering their jobs. Is it ‘cheaper’ to comply with or to flaunt security rules and procedures? What is the employee’s time-horizon when it comes to making security decisions? The answer is making security a business enabler and with a relatively low compliance cost. Otherwise, individual cost-benefit analysis decisions (e.g. about how often to change their system password) may trump the best laid out corporate security strategies.
Fear, Risk and Economics
So, where does this discussion leave us? Are we any wiser about how to make security more widely adopted - and encouraging clients to spend more on their security budgets?