Stop apologising about the cost of IT security and start measuring the benefits. And keep those measurements simple and practical.
These were core messages from the most recent Computer Weekly Infosecurity User Group meeting on return on invest-ment, featuring Philip Gregory, head of UK security at Norwich Union, and Nicolas Appert, European general manager for Qualys.
In a lively exchange with about 40 security-focused user managers, it emerged that although the level of IT risk is increasing and the cost of security is growing, business managers are becoming more tolerant of risk.
Managers now have a more mature, positive understanding of IT security, but this is coupled with fears about costs and complacency.
Some organisations may well be paying too much for overall risk, so they should first find out how much they are spending and build a quantified risk profile.
One metric which successfully influenced one company's board placed specific risks within a graph of the severity of impact of a security breach, set against the probability of it happening. From that the cost of avoidance is calculated and annualised.
Martin Smith, CWIUG convenor, warned that if security gets in the way of business decisions it will be disregarded.
"Therefore you have to balance latency and availability," he said. "Those two metrics are applicable to all IT."
Measuring the intangible benefits of IT security took up a large chunk of the discussion time. One IT manager drew attention to standard metrics for evaluating brand image and any contaminants that affect them.
Half of the firms affected by major security failure disappear within 18 months, as confidence drains away from their brand. In the current stretched world, most companies are already operating under stress.
As is common in most user discussions, there was no holy grail for measuring return on investment in security.
But, as one attendee said, just as cars have brakes to allow them to go faster safely, IT security allows companies to undertake business transactions with confidence, and avoid costs that might otherwise arise.
Therefore, security generates a return on investment and some measurement for this should be possible in all organisations.
29 April: Future trends in IT securityInfosecurity Europe, Earls Court
June: Governance and liability
July: Security awareness and workshop
November: Authentication and identity
Membership of the Computer Weekly Infosecurity User Group is free to anyone with responsibility for IT security in a UK user organisation. The group organises regular free-of-charge meetings on key security topics with top speakers and delivers a monthly newsletter. To find out more, e-mail [email protected]