The economics of security

The nature of the security threat is always evolving – with the hackers always seemingly one step ahead.

But even as the risks escalate, calculating a return on investment for ‘preventative medicine’, such as intrusion detection devices, remains an immense challenge. Yet without it, many CIOs will struggle to justify their security investments.

“A large proportion of the information security investment is basically an insurance investment,” says Meta Group’s Tom Scholtz.

He suggests that IT directors need to control spending without compromising on security, which means that investment must be focused on


The economic case for identity management

Identity management is one of the few security technologies that can generate a clear and unambiguous ROI – if it is done right.

The security benefits are clear. Redundant accounts comprise between 10% and 25% of the average organisation’s logins and passwords. Often, these redundant accounts belong to staff who have long since left – an oversight enabling them to log back in at any time.

The cost savings are equally clear. With logins and passwords often handled on a system-by-system basis, managing each user’s account details for all the systems they need to do is a tedious and expensive administration nightmare.

Furthermore, when end users have to juggle so many accounts, it is little wonder that passwords are so frequently forgotten and so many $50 calls to the help-desk have to be made.

But Tom Scholtz of the Meta Group warns that identity management is still too new a concept for solid ROI metrics – and claims – to be uncritically accepted. Furthermore, organisations should not underestimate the implementation work involved.



specific threats and weaknesses as well as simply guarding certain systems according to their value to the organisation.

Some costs are all too obvious. For example, if a distributed denial of service (DDoS) attack brings down a mission critical application it will cost a company an average of $100,000 per hour, according to a survey conducted by Forrester Research.

However, the same survey also found that two-thirds of CIOs were unable to determine such basic costs to their business, indicating that many IT departments will struggle to provide the more detailed figures required to justify big-ticket security investments.

At the same time, some security technologies, most notably identity management systems, can both cut costs and improve security (see box).

Rising costs

Yet in the immediate future, organisations will spend more and more on security, according to analysts. Research by analysts Meta Group indicates that the security budget averages about 4% of total IT spending among so-called Global 2000 companies, rising to between 5% and 8% by 2006.

Security spending, of course, depends on the requirements of the business it serves and on the data and services that need protection. It involves trade-offs between risks and costs and the understanding that no useable system can be 100% secure.

An expensive iris-scanning system, for example, is over-the-top for call centre employees who are never given access to sensitive information. Similarly, no bank would ever install a security system for a cash machine, however good, if it rejected 1-in-100 legitimate customers.

But passwords – still the main access control system – are increasingly viewed as inadequate for all but the most basic level of security. “Ultimately, it still comes down to how much risk you are prepared to accept and still stay in business,” says Burton Group analyst Gerry Gebel.

Similarly, total cost of ownership (TCO) is hard to pin down because security systems intersect with almost every aspect of IT.

To best target spending – and therefore to control costs – Scholtz says organisations need to first identify all these various activities and build them into a broad, business process-based model. Then, they can identify how their security investments have been apportioned and whether certain systems are over- or under-invested.

Compliance imperative

Burton Group’s Gebel sees compliance as an increasingly significant imperative on security investments. In the US, at least, financial regulations are increasingly carrying heavy penalties which are all too quantifiable.

“I’m seeing compliance issues being as much a driver as increased efficiencies,” he says. “There’s a shift in the marketplace – legal and regulatory requirements could trump the traditional ROI model.”

Compliance with customer or partner requirements is also a growing consideration within major companies such as Airbus and Deutsche Bank conducting rigorous audits of partners to ensure that their security comes up to standard.

Airbus, for example, does not want trade secrets leaking out to its rivals via the lackadaisical security of its vast network of business partners and suppliers. For Airbus, the cost of such vigilance is worth it compared to the immense value of its intellectual property.

At the same time, automating or outsourcing many elements of security management, such as monitoring firewall and intrusion detection devices, may also be enticing both in terms of cost and simply off-loading a time-consuming task – if it is done properly.

But Gebel is equally keen to play down the common vendor claim that IT departments can cut staff costs by automating security management; the benefits are less direct than that. “Not that many IT departments have extra people on the payroll these days,” he says.

“But they can do more with the staff they have. There are a lot of overburdened people out there and with the proper tools they can reduce the backlog and reassign more interesting tasks.”

Even in security, CIOs are being asked to do more with less.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics