The nature of the security threat is always evolving – with the hackers always seemingly one step ahead.
But even as the risks escalate, calculating a return on investment for ‘preventative medicine’, such as intrusion detection devices, remains an immense challenge. Yet without it, many CIOs will struggle to justify their security investments.
“A large proportion of the information security investment is basically an insurance investment,” says Meta Group’s Tom Scholtz.
He suggests that IT directors need to control spending without compromising on security, which means that investment must be focused on
specific threats and weaknesses as well as simply guarding certain systems according to their value to the organisation.
Some costs are all too obvious. For example, if a distributed denial of service (DDoS) attack brings down a mission critical application it will cost a company an average of $100,000 per hour, according to a survey conducted by Forrester Research.
However, the same survey also found that two-thirds of CIOs were unable to determine such basic costs to their business, indicating that many IT departments will struggle to provide the more detailed figures required to justify big-ticket security investments.
At the same time, some security technologies, most notably identity management systems, can both cut costs and improve security (see box).
Yet in the immediate future, organisations will spend more and more on security, according to analysts. Research by analysts Meta Group indicates that the security budget averages about 4% of total IT spending among so-called Global 2000 companies, rising to between 5% and 8% by 2006.
Security spending, of course, depends on the requirements of the business it serves and on the data and services that need protection. It involves trade-offs between risks and costs and the understanding that no useable system can be 100% secure.
An expensive iris-scanning system, for example, is over-the-top for call centre employees who are never given access to sensitive information. Similarly, no bank would ever install a security system for a cash machine, however good, if it rejected 1-in-100 legitimate customers.
But passwords – still the main access control system – are increasingly viewed as inadequate for all but the most basic level of security. “Ultimately, it still comes down to how much risk you are prepared to accept and still stay in business,” says Burton Group analyst Gerry Gebel.
Similarly, total cost of ownership (TCO) is hard to pin down because security systems intersect with almost every aspect of IT.
To best target spending – and therefore to control costs – Scholtz says organisations need to first identify all these various activities and build them into a broad, business process-based model. Then, they can identify how their security investments have been apportioned and whether certain systems are over- or under-invested.
Burton Group’s Gebel sees compliance as an increasingly significant imperative on security investments. In the US, at least, financial regulations are increasingly carrying heavy penalties which are all too quantifiable.
“I’m seeing compliance issues being as much a driver as increased efficiencies,” he says. “There’s a shift in the marketplace – legal and regulatory requirements could trump the traditional ROI model.”
Compliance with customer or partner requirements is also a growing consideration within major companies such as Airbus and Deutsche Bank conducting rigorous audits of partners to ensure that their security comes up to standard.
Airbus, for example, does not want trade secrets leaking out to its rivals via the lackadaisical security of its vast network of business partners and suppliers. For Airbus, the cost of such vigilance is worth it compared to the immense value of its intellectual property.
At the same time, automating or outsourcing many elements of security management, such as monitoring firewall and intrusion detection devices, may also be enticing both in terms of cost and simply off-loading a time-consuming task – if it is done properly.
But Gebel is equally keen to play down the common vendor claim that IT departments can cut staff costs by automating security management; the benefits are less direct than that. “Not that many IT departments have extra people on the payroll these days,” he says.
“But they can do more with the staff they have. There are a lot of overburdened people out there and with the proper tools they can reduce the backlog and reassign more interesting tasks.”
Even in security, CIOs are being asked to do more with less.