Building a return-on-investment (ROI) argument can be difficult enough when dealing with known information security technology, but creating an argument persuasive enough to convince a board when trying to look three to five years down the road can be daunting.
Still, most IT security industry pros know – and readily accept – the fact that unlike the networks of the past, networks today and for the foreseeable future essentially have no perimeter to defend. More and more, when executives and information security leaders consider the technologies they must enlist to efficiently and effectively undertake everyday business initiatives and operations, those being chosen often are outside the direct, hands-on control of the company responsible for protecting the data. In the 21st
century, managing data means overseeing and safeguarding it in the cloud, on servers managed by software-as-a-service (SaaS) vendors and, perhaps, on the servers of business partners.
Yet managing risk in an environment where networks overlap need not require gambling on unproven technologies, says Jeffrey Stutzman, chief operating officer and vice president of collaborative research and analysis at Red Sky Alliance. Companies should understand what tools they already own, he says, and then determine if existing staff is trained sufficiently to get all the value from what the company already has onsite. He suggests that companies not buy products simply because analysts say they serve an industry need, but rather because they serve the company's specific needs.
Stutzman compares the networks of the future to the SETI Institute's [email protected]
program, which uses spare compute cycles on PCs connected around the world to search outer space for intelligent life. Just as the SETI (Search for Extraterrestrial Intelligence) program's network has no defined perimeter as systems come online and go offline constantly, so too will networks of the future be flexible. “ROI won't come from a fancy [security] package,” he says. Rather, companies will define ROI based on their specific needs.
And, prioritizing risk based on specific, identifiable needs offers a better ROI than buying generic products. “ROI comes from identifying the individual threat intelligence landscape,” he says.
The “right” security technology
John Murgo, founder and CEO of Digital Immunity, has been on both sides of the ROI debate. As the chief financial officer of Acronis, he presented investment proposals to the company's board. And, as a member of the board at iMakeNews, he hears the proposals made to the board by corporate executives.
Today's boards of directors are much more tech- and security-savvy than in the past, he says, and better able to understand the value of a company's reputation and brand. Companies that experience major breaches can expect to see a serious impact on their market capitalization and future sales if customers lose trust in the firm, he explains. “One size doesn't fit all.”
The right security technology for one company might be totally wrong for another firm, he says, even one in the same business. Boards today are aware that the money spent on remediation of a breach – along with direct breach costs – is often far more expensive than implementing a security plan, even if the plan doesn't address every single vulnerability.
By assuming that attackers are already in a corporate network being proactive to stop exfiltration of data is more cost-effective than being reactive to a breach, he says.
Christopher Burgess, CEO at Prevendra and a well-regarded security veteran, says companies are moving to the cloud for availability and accessibility. “It's less about being location-dependent, convenience is driving the move," he says. Burgess underscores that networks in the future will be less about perimeter defenses and more about the virtual security of data across multiple networks.
Like so many technological changes, it is often easier to prove the negatives than it is to show a specific positive return on investment for security. But, Burgess says, the measure by which companies define success in the future often will be based on demonstrating how their networks were able to repel breaches and protect their organization's confidential and customer data. Proving that client data is safe – and the network is always available – will be a key part of demonstrating security's return on investment in the years to come.