Network security can be a tough sell, but there are ways to convince your CFO that investing in security is a cost-effective move.Network\u00a0security\u00a0is one of the hardest technology categories for which to create an ROI analysis. The fundamental problem is determining the value of preventing security breaches, which constitutes the "savings" in an ROI calculation of savings divided by cost.Network security savings equals cost of security breachThink of this value as landing somewhere along a security consequences continuum. At one extreme of the continuum ("no consequences") are those organizations that would get no value from network security.In this unlikely extreme, the organization would experience no costs in the event of a Web site being hacked, company information being stolen, or network resources being unavailable.At the other extreme ("dire consequences") is a company in which:\u2022\u00a0 The Web site is so critical that every 5 minutes of downtime can be directly correlated to revenue loss.\u2022\u00a0 Lost information has clear costs, such as legal costs from liability in the event of confidential client information being stolen.\u2022\u00a0 Network resource downtime causes employee work stoppage, such that the employees literally can not work, and the cost of the breach is the employees' salaries.Cost vs. costBalancing the cost of network security against the cost of not implementing network security.With network security Common investments include: \u2022 Firewalls.\u2022 Intrusion-detection systems.\u2022 Web filter\/content filtering system.\u2022 Anti-virus software.\u2022 Monitoring tools.\u2022 Authentication solutions (such as RSA\u2019s SecureID).\u2022 Staff security specialists (or consultants to provide the necessary ongoing maintenance of security products).\u2022 24-7 monitoring service.Without network security Common questions: \u2022 Cost to organization if Web site is hacked?\u2022 Cost of information loss? (potential for competitors to gain access to proprietary information, potential loss of credibility with clients, potential litigation costs of information that is considered confidential)\u2022 Network resource downtime (number of employees potentially impacted by their salary costs to the company.A strong case also can be made for the unquantifiable costs of network security breaches. But because these items are not directly measurable, it is best simply to pose them to your CFO or other non-IT management for their input:\u2022\u00a0 If our clients find out we had a breach, would they become less loyal to us? Can this be quantified?\u2022\u00a0 If it took us more than eight hours to respond to a breach (because it happened at midnight and we didn't know about it until 8 a.m. the next day), would there be any ramifications (with our clients, suppliers or employees)? Can this be quantified?Part of the challenge is in figuring out where on the security consequences continuum your organization lies. Two ways of determining this are as follows:1. Has your organization experienced breaches in the past, and if so, what was the impact?\u2022\u00a0 How many hours did the IT staff have to work to bring the Web site up (if it was hacked)?\u2022\u00a0 How many hours of employee productivity were lost?\u2022\u00a0 Were there financial ramifications (legal, competitive) because of lost information?At the time of the breach, the mad rush to correct the problem often overshadows the need to document its impact. Still, in hindsight you might be able to recreate the scene of the crime.2. Have any of your competitors experienced breaches?\u2022\u00a0 Can you quantify their losses (for example, did their downtime result in additional business for your company)?Sometimes I talk to network executives who have not experienced a breach but know of events experienced by their competitors and have told me (if a little gleefully) about the impact: "Their Web site was down for a whole day and our online sales went up 20%." That can be translated into the competitor losing that 20% of revenue.Network security costsThe costs of network security investment are quite broad. There are several categories of products and services in which a company might choose to invest - from firewalls, intrusion-detection systems, authentication systems and anti-virus tools, to various software tools that monitor servers and network devices, and raise alerts triggered by suspicious activities.There are even fingerprint readers available for less than $200 per device. And for those organizations at the "dire consequences" end of the continuum, a 24-7 monitoring service also might be a justifiable expense.Calculating the ROIAll ROI analysis is based on a given solution's costs and its savings or revenue generation. The graphic on the right lists potential sources of both for network security.As is commonly observed, investing in network security products is like buying insurance. You pay upfront to protect yourself against a possible calamity. For organizations that don't have a quantifiable risk, perhaps very little investment is warranted. But for those at the "dire consequences" end of the continuum, network security investment is as vital as earthquake coverage for homeowners residing near the San Andreas Fault.