Measure up to IT risk tolerance

Boards need to adopt a quantifiable business case to measure the return on IT security.

Boards need to adopt a quantifiable business case to measure the return on IT security.

Stop apologising about the cost of IT security and start measuring the benefits. And keep those measurements simple and practical.

These were core messages from the most recent Computer Weekly Infosecurity User Group meeting on return on invest-ment, featuring Philip Gregory, head of UK security at Norwich Union, and Nicolas Appert, European general manager for Qualys.

In a lively exchange with about 40 security-focused user managers, it emerged that although the level of IT risk is increasing and the cost of security is growing, business managers are becoming more tolerant of risk.

Managers now have a more mature, positive understanding of IT security, but this is coupled with fears about costs and complacency.

Some organisations may well be paying too much for overall risk, so they should first find out how much they are spending and build a quantified risk profile.

One metric which successfully influenced one company's board placed specific risks within a graph of the severity of impact of a security breach, set against the probability of it happening. From that the cost of avoidance is calculated and annualised.

Martin Smith, CWIUG convenor, warned that if security gets in the way of business decisions it will be disregarded.

"Therefore you have to balance latency and availability," he said. "Those two metrics are applicable to all IT."

Measuring the intangible benefits of IT security took up a large chunk of the discussion time. One IT manager drew attention to standard metrics for evaluating brand image and any contaminants that affect them.

Half of the firms affected by major security failure disappear within 18 months, as confidence drains away from their brand. In the current stretched world, most companies are already operating under stress.

As is common in most user discussions, there was no holy grail for measuring return on investment in security.

But, as one attendee said, just as cars have brakes to allow them to go faster safely, IT security allows companies to undertake business transactions with confidence, and avoid costs that might otherwise arise.

Therefore, security generates a return on investment and some measurement for this should be possible in all organisations.

Future meetings

29 April: Future trends in IT securityInfosecurity Europe, Earls Court

June: Governance and liability

July: Security awareness and workshop

September: Cybercrime

November: Authentication and identity

Membership of the Computer Weekly Infosecurity User Group is free to anyone with responsibility for IT security in a UK user organisation. The group organises regular free-of-charge meetings on key security topics with top speakers and delivers a monthly newsletter. To find out more, e-mail [email protected]

Read more on IT risk management