The ROI of network security

Network security can be a tough sell, but there are ways to convince your CFO that investing in security is a cost-effective move.

Network security is one of the hardest technology categories for which to create an ROI analysis. The fundamental problem is determining the value of preventing security breaches, which constitutes the “savings” in an ROI calculation of savings divided by cost.

Network security savings equals cost of security breach

Think of this value as landing somewhere along a security consequences continuum. At one extreme of the continuum (“no consequences”) are those organizations that would get no value from network security.

In this unlikely extreme, the organization would experience no costs in the event of a Web site being hacked, company information being stolen, or network resources being unavailable.

At the other extreme (“dire consequences”) is a company in which:

•  The Web site is so critical that every 5 minutes of downtime can be directly correlated to revenue loss.

•  Lost information has clear costs, such as legal costs from liability in the event of confidential client information being stolen.

•  Network resource downtime causes employee work stoppage, such that the employees literally can not work, and the cost of the breach is the employees’ salaries.

A strong case also can be made for the unquantifiable costs of network security breaches. But because these items are not directly measurable, it is best simply to pose them to your CFO or other non-IT management for their input:

•  If our clients find out we had a breach, would they become less loyal to us? Can this be quantified?

•  If it took us more than eight hours to respond to a breach (because it happened at midnight and we didn’t know about it until 8 a.m. the next day), would there be any ramifications (with our clients, suppliers or employees)? Can this be quantified?

Part of the challenge is in figuring out where on the security consequences continuum your organization lies. Two ways of determining this are as follows:

1. Has your organization experienced breaches in the past, and if so, what was the impact?

•  How many hours did the IT staff have to work to bring the Web site up (if it was hacked)?

•  How many hours of employee productivity were lost?

•  Were there financial ramifications (legal, competitive) because of lost information?

At the time of the breach, the mad rush to correct the problem often overshadows the need to document its impact. Still, in hindsight you might be able to recreate the scene of the crime.

2. Have any of your competitors experienced breaches?

•  Can you quantify their losses (for example, did their downtime result in additional business for your company)?

Sometimes I talk to network executives who have not experienced a breach but know of events experienced by their competitors and have told me (if a little gleefully) about the impact: “Their Web site was down for a whole day and our online sales went up 20%.” That can be translated into the competitor losing that 20% of revenue.

Network security costs

The costs of network security investment are quite broad. There are several categories of products and services in which a company might choose to invest – from firewalls, intrusion-detection systems, authentication systems and anti-virus tools, to various software tools that monitor servers and network devices, and raise alerts triggered by suspicious activities.

There are even fingerprint readers available for less than $200 per device. And for those organizations at the “dire consequences” end of the continuum, a 24-7 monitoring service also might be a justifiable expense.

Calculating the ROI

All ROI analysis is based on a given solution’s costs and its savings or revenue generation. The graphic on the right lists potential sources of both for network security.

As is commonly observed, investing in network security products is like buying insurance. You pay upfront to protect yourself against a possible calamity. For organizations that don’t have a quantifiable risk, perhaps very little investment is warranted. But for those at the “dire consequences” end of the continuum, network security investment is as vital as earthquake coverage for homeowners residing near the San Andreas Fault.