Prevention vs Remediation

One of the best ways to support an increase in IT spending for security, is to clearly delineate the cost of preventing a security breach versus the cost of fixing a security breach. Most corporate executives appreciate a rational approach to the business end of IT, and find a risk analysis and financial overview helpful tools in justifying additional expenditures. A recent study by Computer Economics shows that spending on security is approximately 3 percent of all IT expenditures, which has remained fairly constant for the past three years. Most telling is that security spending has remained constant while other areas of IT spending have fallen over the same period of time. In addition, spending on security has shifted. Many of the efforts made in the past several years to harden networks against attack are paying off in lower remediation efforts.

This is the key take away for IT professionals today in making the business case for security. Security spending in the past has reduced the cost of remediation efforts today. Sometimes it's hard to make the case for something that's absent, but this is an opportunity to tout how successful past efforts have been. If you don't have specific data you can point to, you can generate some realistic estimates. Determine how much you've spent on hardening the network and calculate about how much time that has saved in both IT staff time and in productivity on the network. When the network is attacked, you have three expenses: the IT staff time, the productivity of people trying to use the network and the often more intangible cost to the company's reputation (which sometimes becomes a legal issue with financial implications). If you're hard pressed to figure out how much your company has saved by not having security breaches, do some research and find industry averages applicable to your industry or company size. To assist in that, we've provided a few numbers, courtesy of research by the Computer Economics group. While this data may be generic, it's a good starting point to help you make the business case for the return on investment for past security spending and why it's a good idea to keep spending that money. Here's another hint: Sit down with your company's financial expert and have a few financial metrics generated based on your findings. If you can show a positive return on investment (ROI) or an internal rate of return (IRR), your company's management will have to sit up and pay attention. Along the way, you'll help secure your reputation as someone who understands the business of IT.

The independent research firm, Computer Economics, suggests using the following four steps to create a generic ROI for computer security:

1. Analyze the potential economic impact of a security breach (you may want to delineate the potential impact of several different categories of security issues such as virus, phishing, DoS, etc.).

2. Determine the business exposure (network, Internet connectivity, ecommerce intensity, and so on).

3. Examine and delineate the cost of security.

4. Calculate the ROI of security.

For example, if a virus invades your network, you can track how many IT staff hours were required to remediate the situation, by calculating how long you spent fixing the problem (e.g., 60 minutes X 48 users X an average hourly rate based on overall salary levels in the organization). Sometimes, you can determine how much revenue was lost during that time (e.g., if you had to shut down an e-commerce server for four hours, what were the average hourly sales for that particular day and time?) Can you calculate how many of those customers will not return or will spend less in the future? Probably not, but you know the four-hour outage will have a ripple effect that is larger than the calculated hourly loss. In general, some quantifiable data is better than none, and you can use it to begin tracking and analyzing the true cost of security breaches. Some executives only understand the value of security spending when they understand the actual cost of such a breach to the organization.

Potential Economic Impact

In order to understand the potential economic impact of a security breach, you have to look at the cost of remediation and the short- and long-term impact to the organization. The immediate impact of remediation includes the cost of labor and parts to repair damaged systems, the loss of organizational productivity during the repair phase, and the impact these repairs have on the cash flow and financial transactions of the company. If your company is e-commerce-intensive, this impact will likely be even more significant. The loss of security around credit card data or the destruction of a month's worth of e-commerce transaction data clearly has an economic impact beyond the cost of repairing the security breach. Look at all areas of your business where the network and the Internet are factors. (A specific plan to assess the risk to your network is discussed later in this book.) At this point, your goal is to look at the cost of security so that you can make a business case to corporate to gain the necessary organizational, political, and financial support you need for your security projects.

The short-term impact of a security breach (e.g., if your e-commerce site experiences a DOS attack) includes the potential loss of sales and the potential loss of contracts and relationships with suppliers, vendors, and key customers. If your organization has suffered a serious and very public security breach, your sales team might have more difficulty closing a big deal. Clearly, the reputation of the organization suffers and, while it might be difficult to quantify, it reduces the company's reputation and associated "goodwill."

The long-term impact of a security breach includes the loss of key customers, the loss of market confidence, and the erosion of share price if the company is publicly held.The public perception of a company in the marketplace is not built overnight, but it can be destroyed overnight by an avoidable security breach. The news is full of recent examples of companies that inappropriately managed data security and ultimately paid the price. It is hard to recover from that kind of major security lapse, both in the real terms of remediation and in the less tangible terms in the minds of suppliers, customers, shareholders, and the community.

The bottom line is: the more devices attached to your network and the more reliant your company is on the Internet for doing business, the more a security breach will cost. The Computer Economics group estimates that if you are highly reliant on the network and the Internet for your business activities and you have 100 attached devices, the cost of a security breach is approximately $250,000. If you have 250 devices, the cost is approximately $500,000.These costs include cleaning infected systems, recovery from hacks and intrusions, a loss of revenue, and a loss of employee productivity. As you can see, it becomes much easier to justify security-related spending when you clearly delineate the cost of not doing so.

Business Intelligence...

The Real Cost of Remediation

A quick scan of the headlines will tell you that security breaches are on the rise. It takes time and effort to stay one step ahead of hackers. However, a recent report reveals that many companies would rather spend money cleaning up the aftermath of an attack on their network security, than deal with it proactively. Security spending is still seen by some as a giant black hole where money goes in and nothing comes out. However, a glance at the headlines shows that companies that experience massive public security breaches end up in trouble with their customers, their employees, their shareholders, and often the government.

A well-publicized incident in June 2005, involved a serious security breach by CardSystems, a credit card processing company. The company was holding on to credit card data it was not supposed to have in order to "analyze" it. However, the data was not properly secured and 40 million credit card holders' personal data was compromised. Credit card companies had to re-issue millions of credit cards. (MasterCard alone had to reissue 13.9 million cards.) CardSystems was sold to another company in what appeared to be a "fire sale" in September 2005. After reviewing the incident, the Federal Trade Commission determined there were clear security problems and required the company to have an independent security audit every other year for the next 20 years. This is a classic example of a security breach that could have been avoided. It started on the inside from apparently "benign" behavior (i.e., no one initially attempted to hack the data). The data was stolen because internal procedures violated two areas: their agreement with credit card companies on how they would handle customer data, and their decision not to follow appropriate protocols for monitoring and managing data to ensure its security. (For additional information, go to cardsystems.html.)

A Vermont college system employee on vacation in Canada, had her laptop stolen from a locked car. The laptop contained personal and financial data for over 20,000 Vermont college system employees and students. The data was not encrypted. Details about the theft were not

Continued disclosed for three weeks, even though the data at risk included people's social security numbers, birth dates, bank account numbers, and payroll information. A second security breach involved a hacker using an IT staff person's e-mail address to send a system-wide message regarding the stolen laptop. (For additional information, go to 6/1009/NEWS05.

A security breach in Spokane, Washington left hundreds of bank and credit union debit card customers in a tight spot when they were informed their debit cards had been compromised. New cards and PIN numbers were issued. The breach cost banks, credit unions, and customers thousands of hours for canceling and re-issuing debit cards. The cost to banks, credit unions, and customers ran into the hundreds of thousands of dollars. (For additional information, go to

Security spending is time and money well spent. Your job as the network administrator is to make the business case for security spending. One way is to align security goals with business goals. When you tie security to business objectives, senior executives are more likely to understand, value, support, and fund security initiatives.

Business Exposure

This section discusses the relative exposure of your business, which will help you present your business case for security-related spending, and help you gain critical support for your IT security project. Some business exposure can be assessed by looking at the following categories and determining what percentage of your business they comprise:

1. E-commerce Retail Sales If your company sells product via the Internet, there are numerous security issues that must be addressed. From Web site security to transaction security, and from credit card processing to identifiable user information, your company has a legal and ethical obligation to maintain a certain level of security.

2. Business-to-business (B2B) Transactions Some companies only deal with other businesses (i.e., not the general public).These B2B transactions are vulnerable to outside and inside attacks. Disruption of this revenue stream can be devastating, because it can damage a company's cash flow and its relationship with key business partners (i.e., eroding trust and confidence reduces the value of the business transaction).

3. Internet Connectivity and Reliance Some companies rely heavily on the Internet. If your company uses the Internet to connect with customers, vendors, regulatory authorities, employees, or shareholders, you must assess the risk of loss or disruption in each of those cate-gories.The more you rely on the Internet as a business tool, the greater your need for tight security and additional security funds.

4. Dispersed Workforce. If your company's employees work from home, work on the road, connect from airports, coffee shops or vendor's locations, your network security needs to take this workforce model into account. The risks to the network obviously increase when users are roaming around out in the wild unsecured world of coffee shop (or hotel) wireless networks and your network security plan has to account for these types of arrangements.

5. Electronic Data Interchange with Businesses and Consumers

You risk a security breach whenever you exchange data directly across the Internet.There are numerous technologies that will secure those exchanges.

6. Data Sensitivity Legislation regarding the privacy of medical history and other personal data (e.g., social security numbers, credit card numbers, household income, credit scores, and so on) has expanded. Any company dealing with confidential personal information must have strong security processes in place to ensure that the data is handled properly at all stages (i.e., from collection to storage, retrieval, and analysis). Disruptions in this area can result in serious financial and legal consequences.

Cost of Security

The amount of money spent on security should match the risks associated with a potential breach of security (e.g., a financial firm has a higher risk profile than a paper supply company). However, both companies must assess their risk and decide on a reasonable level of protection.You can spend a lot of money on security, but at some point your ROI diminishes because you are outspending your risk.

When planning for the cost of security, evaluate the following:

■ Nature of company business

■ Government regulations

■ Reliance on e-commerce, Internet, and network connectivity

■ Nature of business transactions

■ Business structure (centralized, multiple locations, mobile workforce, and so on)

■ The tangible and intangible value of the information and company data

■ The potential impact of a security breach on the company's reputation and bottom line

One point that can be easy to miss in all of this is that your security really should be calibrated to the value of your company's data.To use an analogy, there's no point on putting a $5,000 alarm system on a 1979 Chevrolet Cavalier that has a rusted out frame and 150,000 miles on it. It's probably pretty low on the list of cars that get stolen (no offense intended toward anyone who owns such a vehicle, but chances are you don't worry about it getting hot wired in your driveway). On the other hand, if you own a $250,000 custom sports car, a $5,000 alarm system might not be enough.You might also add a low-jack system that disables the engine when the car is reported stolen and you might also install a GPS tracking device so you can locate the vehicle if it is stolen. The point is that your security measures need to really take into account the value of the data and the potential impact if that data (or network services) are disrupted. However, since you will have defend your budget, you also need to make sure your security solution is commensurate with the value of the data and network services and the relative cost of business disruption.

ROI of Security

Once you have delineated the cost of security threats and security spending, you can calculate a ROI or do a break-even analysis. The Computer Economics group determined that for a company with high exposure to risk factors (e.g., e-commerce companies), the break-even point for security per device is approximately $375 for a company with 100 devices.The per-device cost is approximately $400 for a company with 500 devices, or about $250,000. For the following example, we use a 100-device network. The cost for security hardware, software, implementation, management, and personnel is estimated to be $196,000 for a high risk company.The cost of a single security breach is estimated at $233,000. While this appears to be a $37,000 savings, it may not adequately address the loss of productivity, opportunity costs (e.g., What else could we have done with our time if we were not remediating a security breach?) and the cost of the black mark on your business's reputation. The numbers show that the cost of avoiding a problem is less than the cost of fixing a problem. Put some numbers together for your organization that show the net positive result of problem avoidance. (For more information on the economics of computer security, go to

Business intelligence.

The Ultimate Cost of Security

A recently released survey by CompTIA sheds light on the cost of security. (See The Channel Insider, "Poll: IT Security Training Not a Priority" by Pedro Periera at,1895, 1934496,00.asp).

According to CompTIA Chief Operating Officer (COO) Brian McCarthy, employers do not invest in enough training; fewer than 25 percent of employees receive any type of security training. While the investment in security hardware and software has increased in recent years, the investment in training has not kept pace, which is alarming when you consider

Continued that 80 percent of all security breaches are caused internally, many due to simple human error. Much of that error can be directly attributed to a lack of security training. Companies have a false sense of security when they look at the capital investments they make in hardware and software solutions, but without adequate training on the proper configuration, use, and maintenance of the security solutions, those capital investments are wasted. The survey also found that, on average, IT departments spend 2 percent of their time and 5 percent of their budgets on security. That is pretty low when you consider that the average security breach typically costs a company approximately 1.5x what they spend on security solutions.

Now for the cold hard truth. According to the Gartner Group, 50 percent of all businesses that suffer a data loss due to an attack or system failure, go out of business within three years of the attack if they fail to restore the lost data within 24 hours.

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment