Mapping technology that does not generate direct revenue to the financial ecosystem of a business is a difficult task. Although security doesn’t earn any dividends in terms of revenue, it safeguards the business, and can be considered a loss prevention mechanism. For instance, consider a 1,000-seat BPO that charges X amount of dollars per hour. A virus attack or a DOS attack can not only debilitate the IT infrastructure for a couple of hours, but also mean substantial loss.
Measure financial impact: Pose questions
While presenting a business-case for security investment to any organization, it is important that an evaluation of current security has been done. It is necessary to understand a few things:
1) The worst-case scenario must be worked out when pitching for an investment in security. Highlight the proposed methods for mitigating risks and the cost of these methods.
2) The fundamental question of course is, “how much is too much”? The cost of security must not exceed the cost of the assets it is meant to protect.
3) The kind of security implementation that is cost-effective for an organization.
4) Effect of security measures on the workforce and productivity.
Since security is hard to directly map to a return on investment, metrics can be used to measure its effectiveness. The return on investment (RoI) on security can be justified by the profits or productivity that is being safeguarded to achieve turnover targets.
An instance is that of using firewall logs to measure the number of attacks before and after security deployment. An extension of this is to calculate the damage such attacks do to the network and the cost to the business.
Invest for scalability
Organizations have huge costs to incur, even when pitching for security services over cloud or virtualized security. Security investment planning for a scalable security solution can cause a fair amount of grief, since each organization will have its own security goals.
In addition to the costs, there is a hidden component that must be considered, namely, scalability cost. For instance, two years ago, various business units informed me that Mindlance plans to hire about 800 people. Although they hired only 555 people, I had made security investments taking into account the existing user-base and additional 800 users. The hiring took place over eight to nine months. During this period, my service capacity was not fully utilized, leading to an investment lock-in for that period.
In such scenarios, there is tangible advantage to the cloud model. Scalability cost does not need to be factored into security investments, and capacity can be scaled up on the fly — not to mention availing of a spectrum of services.
A balance must be struck between scalability cost and over-utilization of security resources to achieve an optimum level of efficiency as far as security investment planning is concerned. While a firewall with 1 Mbps throughput cannot handle a load of 2 Mbps, investing in a 10 Mbps firewall to handle the same traffic is not the best way to utilize your security investment.
About the author: Kamal Sharma is the group CIO at Mindlance. He holds a Bachelor’s degree in Technology from University of Hertfordshire and Management Diplomas from IIM-B and IMT. He is on the IT advisory board for International School of Management Excellence, an NVT group B-School.
(As told to Varun Haran)
Please send your feedback and/or comments to vharan at techtarget dot com. You can also subscribe to our twitter feed at @SearchSecIN