Well-designed and implemented security is invaluable to today's organisations, but boards are keen to define the real cost of resources and investments they make in this area.
Security spending can never be a bottomless pit and there is now more of a focus on the total cost of spending on IT security and what return companies are getting. But with viruses and other cyber-threats becoming ever more sophisticated, what price should an organisation put on the security of its systems?
One way to measure this is to look at the total cost of ownership. TCO is not a new concept - indeed, it was introduced first more than 15 years ago. It seeks to define the total cost of an asset or resource over its lifetime, including initial purchase price plus support contracts, servicing, upgrades, associated consumables and the human resources required to manage it.
Measuring TCO is complicated, particularly as there are few agreed approaches. One method, however, is to divide the costs into those that are fixed and those that are variable.
Fixed costs are attached to the hardware, software and security-related support and maintenance contracts. These are usually up-front costs incurred at the time of the initial investment and are easy to calculate. They can also be spread across the life of the implementation for the purpose of the TCO calculation.
Variable costs include the management of upgrades, ongoing maintenance, telecommunications, training and downtime. They also bring into consideration elements such as management time and estimates of usage and utilisation of company resources which are harder to evaluate.
For a routine firewall upgrade and maintenance process, three software elements must be considered: the operating system, the firewall/virtual private network itself, and the high availability/load-balancing software.
It takes more than two hours to upgrade an operating system or firewall and about half an hour for high-availability software.
There are also costs to consider in maintaining systems. Engineers will average about 16 hours to identify and test the combination of these three sub-systems. Therefore, the first node will take more than 21 hours to upgrade. Even allowing for faster implementation on subsequent nodes, a typical upgrade of 10 firewalls will take almost nine days.
It therefore makes a great deal of sense to examine the TCO for security in some depth. As well as the list price of the hardware and software, IT chiefs need to look at annual maintenance costs and investigate the likely resources necessary for upgrades.
Any discussion of TCO feeds into an assessment of return on investment. The difficulty with calculating the value of a security product is that it is essentially a defensive asset - the only measure you may have that would enable you to put a price on it is through the damage done to similar businesses by such acts.
Ultimately, a well-conducted total cost of ownership analysis to back-up investment decisions will go a long way towards convincing senior management that money has been spent well and with foresight.
Nigel Rix is regional director for the UK, Ireland and South Africa at Stonesoft Networks, an exhibitor at Infosecurity Europe 2004, which will be held at London's Olympia on 27-29 April
This was first published in March 2004