Security Economics
by Ionut Ionescu - Director of Security Services, Nortel (EMEA) - Wednesday, 29 August 2007.
Glancing back at our economics textbooks, we find that this is not an overly competitive market to be selling security services in, even if we accept that defining the actual ‘market’ may be the trickiest part of this type of analysis.

Security ROI

Then there is another way: proving security ROI. Of course, ROI is a valid financial tool. In the security industry, however, every vendor seems to have one, which is slightly different from other vendors’ and which ‘proves’ that buying that vendor’s product or service makes the best economic sense. For example, I’m sure we’ve all seen the statistics stating that having someone else to manage your company’s firewalls is a 400% ROI over one year, when compared to managing them in house.

Whenever we are confronted with such figures, there are several things we need to ask: How many firewalls do these figures refer to? How many different technologies? Were these devices located in one company office, or distributed on a country or continental level? What service levels do the costs refer to? How many clients participated in the survey, how many vendors?

Many ROI calculations adopt a simplistic and/or simplified view of the underlying costs. They also tend to disregard ‘communications’ costs, human and skills costs, dealing with process or operational exceptions, with network upgrades. One must always seek to understand the assumptions of any ROI model. As a final note, an IDC study in 2003 found that 83% of companies do not track ROI for their security investments. Things are likely to have changed, but caution and scrutiny should still be applied to ROI models.

Buy or Build and the Individual Perspective

From a client perspective, a lot of energy is usually spent debating whether security is best kept ‘in house’ and delivered by client’s own personnel (or built by internal efforts), or is it better to outsource or buy ‘off the shelf’. Because security is essentially a trust issue, the natural inclination is to keep it in house, shrouded in secrecy. We know that, from a technical perspective, ‘security through obscurity’ is not good practice. The encryption algorithms that become standards are subjected to scrutiny for years before being widely adopted.

From an economic perspective, there will be security tasks which are more efficiently carried out by an outsourcer (e.g. managing firewalls or IDS), and some which are more suited for in house delivery (e.g. fraud and incident investigations), if skills exist in-house. A good provider will remind the client that they always retain the full responsibility for their organization’s security posture, even if some security tasks have been ‘delegated’ to hands and brains outside the firm.

Economics also plays a part in everyday decisions taken by individuals (employees) when it comes to doing the “right security thing.” We must ask whether security is facilitating or hindering their jobs. Is it ‘cheaper’ to comply with or to flaunt security rules and procedures? What is the employee’s time-horizon when it comes to making security decisions? The answer is making security a business enabler and with a relatively low compliance cost. Otherwise, individual cost-benefit analysis decisions (e.g. about how often to change their system password) may trump the best laid out corporate security strategies.

Fear, Risk and Economics

So, where does this discussion leave us? Are we any wiser about how to make security more widely adopted - and encouraging clients to spend more on their security budgets?


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th