Risk-taking is what makes the business world go round. But each organisation must decide which risks it wants to take on and which it would prefer to pay others to deal with.
The closer a given risk is to the core strength of the company, the better equipped it will be to handle the risk internally, creating value for customers and investors alike. However, when companies take on risks that are not completely understood, it can spell disaster.
For most organisations, IT security is not a core competency, which is why most prefer to purchase off-the-shelf solutions for keeping their data secure. In many ways, these investments in IT security act like insurance policies; the company pays for a technology solution in exchange for reducing the exposure to the costs of a breach.
Unlike most forms of insurance however, it is difficult to know when IT security pays off. Because it is impossible to see which disasters have been averted, it is easy to fall into the trap of thinking IT security is not adding value to the business.
A simple way to avoid the value trap is to evaluate your IT security investments against potential scenarios and see if they are creating value. To start, pick a reasonable probability that a loss would occur if it were not for the proposed IT security investment, say 10% for example.
Next, take the cost of the investment and divide it by that percentage to uncover the break-even loss, that is, the amount the organisation would have to expect to lose for the IT security investment to make business sense.
The last step is to ask ourselves: “If it were not for this solution, would there have been 10% greater chance at realising the break-even loss?”
For example, if installing a new next-generation firewall came with a £100K price tag, a 10% risk would yield an implied financial loss of £1m. If we feel certain that without that firewall, we would have exposed the company to at least a 10% chance of losing a million pounds, then the IT investment is likely to pay off.
Nathan Brady is senior technical marketing manager at Crossbeam Systems
Read more about aligning security and business
- Security Think Tank: Infosec professionals need to communicate value to business
- Security Think Tank: Four steps to show value of IT security
This was first published in December 2012