The way to get the executive team to pay attention is to provide a quality ROI on any new initiative. If the boards of directors can’t understand the needs of various departments then the only way to their pocketbook is to present them with a bottom line return on their investment.
In the case of procuring a security budget executives are often less than forthcoming because of the lack of information they receive from department heads. Boards of directors and executive teams respond most favorably to requests for information security budgets which are cost justified with a simple ROI business case.
The business case needs to specifically show how potential costs associated with liability, caused by security breaches, may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.
This approach of utilizing an ROI to cost justify a security budget is the same premise used to purchase insurance for commodities like office furniture, computers, etc. The difference is that if a security breach occurs as a result of not implementing the proper protection procedures, the associated costs far outweigh the costs to replace furniture.
The potential liabilities, such as loss of production and/or loss of reputation are translated into actual dollars in the ROI. The security budgets are created by taking a small percentage of the cost of the potential losses and applying it to preventative measures.
As such this calculation of ROI is actually a calculation of the percentage of the cost to avoid the cost of liability compared to the potential cost of liability. This is similar to the methodology for calculating the financial benefit of insurance for commodities such as office buildings, furniture and computers.
Since the cost of a security infrastructure often falls within about the same price ratio of commodity insurance, one would think this cost justification would be easily sold to an executive committee.
This is often the case, particularly when the business risks identified in the business case are based upon hard evidence of actual security risks. Actual security risks can be identified by evidentiary security audits. These audits are performed by impartial third parties, with an expertise in identifying both technical and policy risks.
Methodology of calculating ROI
There are three components to the ROI calculation:
1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk.
The first step in identifying security risks is to identify security vulnerabilities, which can occur when there are technical and policy flaws. As a result, a network can be compromised in order to create a security breach. A typical risk scenario could be an incorrectly configured firewall, which could allow an Internet intruder to gain access to a corporate server containing Sarbanes-Oxley related financial files. The risk situation is exacerbated because the server software has not been patched (maintained) since the latest security threat made the server vulnerable to a security attack.
The example of a security risk scenario above deals with security vulnerabilities which would be found with one family of audit steps, called external audits. In order to not mislead the reader, it is important at this juncture to understand that there are four different families of audit steps, which in turn are subsets of one classification of audits called evidentiary audits.
For clarity, best practice based audits deal with compliancy to standards such as ISO 17799. 2 These are high level standards and do not deal with the detailed implementation of an actual network. In contrast, an evidentiary audit identifies actual proof of existing risk. An analogy might be that a standards audit defines "how to...." And an evidentiary audit defines "what is..."
An evidentiary audit may be comprised of four steps:
a. Employee Behavior
Risks are identified relating to social engineering (ability to dupe an employee into giving information or physical access to an unauthorized third party) and identifying the critical control information "keys to the kingdom" held by the IT department.
b. Network External
Risks are identified from the perspective of how a network appears to potential Internet intruders or to potential wireless intruders.
c. Network Internal
Risks are identified relating to how employees attract liability by their Internet misuse; how servers, firewalls, and all other devices are configured and deployed; IT procedures; etc.
d. Physical
Risks relating to "locks, doors, fences, fire, intrusion, etc. (A physical audit overlaps an employee behavior audit. )
A crucial element of identifying security vulnerabilities is to also document the evidence of how the vulnerability was found. This evidence should be conveyed in a clear manner, such that an independent third party could verify the evidence, much in the way a financial auditor would review an audit trail.
At this stage the security vulnerabilities are described in very technical terms, and of absolutely no use to an executive team who may be asked to provide funds to mitigate the risks. In order to develop this raw intelligence into a business case, it is therefore necessary to translate these technical security vulnerabilities into business risks.
In the scenario above, the business risk would be that financial data is at risk of being modified, stolen, or deleted. The associated resulting liabilities could be:
1. Contravening Sarbanes-Oxley by using corrupt financial data, resulting in damage to the reputation and stock price.
2. Using "inside" information to manipulate stock prices, again resulting in damage to reputation and the stability of a stock.
3. Early disclosure of financial reports, again damaging reputation.
The next step is to quantify the costs associated with the risks, should they become reality and actual liabilities. A simple, time-effective method of allocating costs is by using an "executive straw pole," for the executive team to estimate potential downside costs.
Identifying risk mitigation and associated costs
A security audit should not only identify the security risks, but should also provide high level recommendations to remedy or to mitigate the risks. These recommendations can of course be augmented by a CIO or CSO who deems the recommendations as strategic to a larger security plan.
The CIO or CSO can then request price quotations from various vendors of security technology and security services, as input for the ROI business case. The total of these costs are the mitigation costs.
The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = % mitigation costs divided by the cost of potential risk
Outsourcing: an alternative to security technology acquisition
Executive teams of course always want the best ROI for any project, and optimizing security technology is no exception. Pitfalls for acquiring technology with a penchant for becoming obsolete before it is installed are obvious and often become sources of embarrassment for the recommender. This problem is often exacerbated with delays or difficulties with implementation and tuning of sophisticated technology.
Therefore it is useful to consider outsourcing the security services with the associated features and benefits as a low risk, cost effective alternative to acquisition.
Some outsourcers will provide a pilot project as a proof of concept of the entire project, which can then gracefully be increased in scope to full production. This step minimizes the time to implement and the embarrassment of acquiring technology which is never actually implemented.
The cost of outsourcing also covers other "soft costs" which quickly can become hard costs upon implementation, such as training and managing and monitoring the technology.
Outsourced services can be immediately expensed in most jurisdictions, from a tax perspective.
Purchased technology may become obsolete and replaced before it is even fully depreciated on the books. Similarly, if technology is leased, the lifetime of payments may persist past the actual lifecycle of the technology.
1. Compare purchase vs. outsourcing costs
a. Capital costs of security technology
b. Term of technology depreciation vs. lifecycle
c. Manpower costs to manage and monitor
d. Trial costs vs. cost of making an error
2. Account for lifecycle of technology vs. term for depreciating capital expenditures on security technology
Creating an ongoing ROI cost justification process
Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CSO to educate their executive peers on the principle that security is an ongoing process, and not a one time event.
As such, as the CIO and CSO successfully implement security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.
Conclusion and call to action
Obtaining an adequate incremental security budget does not need to be sidelined until the next security event or until the next year's budget. CIOs and CSOs can compel executive teams and boards of directors to make funds available, with the appropriate ROI business case.
The most convincing case is based upon real life evidence of risks faced by their organization, and a financial plan of how to mitigate these risks. It is important to involve the executives in the process by asking for their participation in a straw pole to determine the costs of risks becoming realities. In doing so, the responsibility of addressing the corporation's security needs clearly becomes an executive decision that cannot be avoided.
Executives understand risk and dollars. Those are the only terms with which to describe an ROI information security budget request.
Ron Lepofsky is the president and CEO of ERE Information Security
