Security is more like buying insurance than buying an application," says Brendan Major, director of information services at child protection charity, the NSPCC [National Society for the Prevention of Cruelty to Children]. "How do you quantify your insurance premiums? How much resource do you want to put in?" he asks.
As a charity dealing with highly sensitive personal data, the NSPCC gives high priority to information security. "In the last four years, our security spend has at least doubled," Major says. "As more and more data is held and distributed electronically, that has led to an increase in our IT security profile, definitely."
Like the NSPCC, most organisations are spending more than ever on security. Market research firm Key Note predicts that in the UK, security spending will rise to £1.76 billion by 2004, from £651 million in 1999, fuelled by increasing use of the Internet and a wider awareness of the risks posed by virus attacks.
However, in order to make a business case for these investments, organisations need to determine how they may be used to best effect. Building a credible return on investment (ROI) case for security products is a major challenge, however. Most organisations are reluctant to admit that they have been the victims of computer crime, and as a result, hard data about security risks – and hence about the likely paybacks of investing in security technology – is hard to come by. So are IT decision-makers getting a good return on these security investments? The answer is, most of them have no idea.
Too little, too late
"You only really know if it's worth having a firewall when you're broken into and lose money," explains Simon Owen, a partner within the Technology Risk Consulting group at management consultancy Andersen. "Surveys have shown that the average cost associated with a security breach is around £250,000, but directors are still reluctant to spend even £50,000 on a firewall until it happens to them."
"In some cases, the only way the board will be persuaded there's a risk is when the company gets hammered with a virus," agrees Julian Bogajski, UK commercial director of Sybari, a specialist in anti-virus systems for Microsoft Exchange and Lotus Notes groupware systems. "In probably 50% or more of the sales we make, companies fail to establish cost justification internally. Then they get hit by a virus and come back to us needing a solution almost instantly. And they're getting hit financially twice – because of the cost of implementing the security measures, and because of the downtime and clean-up costs."
The NSPCC uses two broad principles to steer its security investment strategy, explains Major. First, the charity takes an end-to-end view of security that encompasses both the physical and technological aspects – and maintains and updates the security infrastructure along end-to-end lines. "We have a ‘flank' approach, whereby different component parts of our security systems move forward together," Major explains. "There's no point having massively secure firewalls if your physical security is poor, for example," he says.
Second, the NSPCC has established a hierarchy of priorities for security spending, with protection of services and data at the top of the list, followed by preventative measures such as intrusion detection, then sophisticated investigation methods. "If we decided to look at security afresh, we'd look across the flank, according to our priorities," Major says.
Owen of Andersen argues that the only effective way to measure the value of your security investment is to measure risk – the potential cost of not having security technologies in place. But that is easier said than done. Accurate risk assessment means technology decision-makers need to have a very thorough understanding of their businesses – what the key business processes are, and all the ways they might be affected by a major security breach, for example.
"From our research, it's clear that few organisations have a sound method of managing the growth in information risk, " says Alan Stanley, managing director of the Information Security Forum (ISF). Set up in 1989, the ISF is a non-profit organisation focusing on providing practical solutions to information security problems. It has developed its own methodology, FIRM (Fundamental Information Risk Management), which companies can use to highlight their critical business applications and the relationship between costs, controls and security incidents. The ISF is working with technology risk software company Citicus to develop an automated version of the methodology.
ISF members can also benchmark their own security experiences and procedures against those of their peers using data from a two-yearly membership survey which the ISF has carried out since the late 1980s.
Another company that aims to assess companies' exposure to security risk – and does so from the physical, electronic and process points of view – is Compass Management Consulting. Compass has built up a database of IT performance metrics and operational practices by which to measure risk. "We look at things like proximity and location issues, at internal and external security, and at existing security policies," explains Debbie Rosario, a senior consultant with Compass. "Threat times vulnerability equals risk, and once you have an idea of the scale of the risk, you can have a sensible dialogue about the areas of security you should focus on."
Rosario believes that the difficulty of evaluating security risk is overestimated by many organisations. "The skill is simply in getting the company to understand what their critical business processes are, and the impact on the bottom line if something goes wrong," she says. "Some industries are already very good at that. Most retailers, for example, know their average sales per hour, and can calculate the impact of lost sales quite accurately."
Managers charged with justifying security investments should also bear in mind that some measures can have secondary, tangible benefits for the company, according to Peter Dudley, a former IT director of British Petroleum (BP) who now works as a consultant for security firm Asita. "For example," he says, "if you beef up your email encryption, you can may be able to consider doing away with your private virtual circuit for sending intra-company email and use the Internet instead."
By identifying low-cost options for maintaining or improving data security on a day-to-day basis, IT directors may find it easier to convince business-level managers that more expensive proposals for safeguarding corporate data from more exceptional breaches will pay off. But inevitably, they will frequently run up against this conundrum: If security measures are effective, an organisation will never really know what might have happened if it had not implemented those measures.