un-earthed

When a recent customer asked how he would justify security spending and demonstrate security ROI, I answered his question with another question. “When you last purchased your home alarm system did you first stop to calculate its ROI?” I don’t think so. So security is a lot like buying that alarm system. These expenditures don’t have a P&L associated with them. It is simply about risk management. You can’t expect to turn your security department into a profit and loss entity. It’s just not going to happen. However, there are more creative means to communicate with business leaders using analogies and basic English combined with graphical representation of your assets and risks mapped against the impact and likelihood of threats against those assets.

When compiling data for an IT security investment proposal, it can be challenging to deliver one of the most basic capital-budgeting requirements: quantifying returns of events not happening, while using objective figures to support the business case. There are a number of analysis tools that I have seen used including Net present value, Internal rate of return, ROI, and Payback period with the most common tool being ROI. The approach to calculating ROI today being is in the form of calculating the annualised loss expectancy (ALE) using asset values, the percentage of loss expected per incident, and the total number of estimated incidents. By determining the ALE, you could compare it to the costs of maintaining the security solution, which could then be used to calculate the technology’s ROI.

Obviously, people put a great deal of thought behind many of these ROI proposals, but it’s difficult to “plug and chug” with these formulas because there are too many unknowns. For example, most organisations are unable to quantify fiscally their digital assets. Many organisations are unaware of how many actual security incidents they have faced, nor have they tracked how much those incidents have cost.

These ROI models may leave some organisations with more questions than answers. But that’s not necessarily a bad thing. Organisations must start answering some basic questions, primarily, what do I have and how much is it worth to me? Asset identification, as trite as it may sound, is still a cornerstone. By gathering answers to some of the basics, organisations can begin to understand the true security risks and, in turn, potential returns on security investments.

As security spending increases, so will the need to represent issues more traditionally. Refined ROI formulas and methodologies are sorely needed. Larger data sets are sorely needed. There’s a long road ahead of us, but the closer we come to tangible numbers, the closer we come to answering the really important questions, like ‘How come I spend more on coffee than I do on our security budget?’ And if you are one of these people with your head in the sand hoping the problem will go away then you deserve to be hacked.