Securing An Advantage

The news bulletin is all too familiar: "Large, well-known financial institution announces security breach; millions of customers' data feared lost." This reality has sparked a fire under many a CIO to propose additional spending on security technologies to avoid becoming the next victim.

But scare tactics to increase the security budget may do little more than elicit a "show me the money" response from top management. Traditional ROI metrics are still difficult to prove, especially to executives who focus on the business value of better security strategies.

In light of this, CIOs and IT executives are finding new ways to justify security investments. Some experts are now saying that building a reputation as protector of data security—even after an embarrassing public headline—can deepen customer loyalty, build business value, and improve a company's stock price. Other analysts recommend positioning security as a business enabler, boosting productivity for remote workers and securing portals to let enterprises work with suppliers and partners in real time.

Proactively prioritizing IT security can pay off in several ways, observes Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research shows that companies with superior information security and privacy practices reap market benefits," he says. The Institute works with Fortune 500 companies to address data protection, risk management, and security requirements for IT organizations. As businesses build a reputation for prioritizing security, they benefit from higher trust levels among customers, increased loyalty, and decreased customer turnover or churn rates, Ponemon says.

In a recent study, Ponemon's organization found that companies with superior data-protection practices earn a 2.5% higher participation (opt-in) rate and a 0.32% higher conversion (click-through) rate in online marketing promotions. While these percentage increases may seem small, they can translate into substantial profitability gains for a company building a business online, Ponemon says. Additionally, as companies adopt superior data protection, they can obviously reduce business-process and IT costs because of fewer data breaches and increased data accuracy of business or customer information.

Hugh Thompson, chief security strategist at Security Innovation and adjunct professor at the Florida Institute of Technology, has made similar findings. "We see the emergence of security as a positive value proposition," he says. "Companies that have invested in their security-response process—the ability to react quickly to breaches—are not damaged [after the breach] in terms of public perception." On the contrary, their stock price actually rises, he says.

However, most executives continue to view security mainly in terms of costs, not added value. "People think of security as a necessary evil of doing business, almost like an insurance policy," Thompson says. "If I'm a CIO and spend $2 million on security and there was no [negative] security event this year, does that tell me anything? Management may think the $2 million wasn't well-spent—there's no empirical evidence" to prove the point.

Focusing on security as an insurance policy is indeed the wrong approach, says Richard Levine, senior manager at Accenture. Instead, he argues, companies should position security as a business enabler, creating potential bottom-line revenue opportunities. For example, worker productivity is improved through remote access, Levine says, because salaried workers are increasingly connecting during evenings and weekends. Working remotely also tends to bolster employee satisfaction and lower employee attrition rates at the end of the year, he says. That's why remote-access security is important.

In addition, the notion of real-time business is directly attributable to enhanced security. For example, Levine says, "having a more secure portal infrastructure allows enterprises to complete just-in-time shipping relationships with partners. Positioning security investments as a business case to increase revenue and profits will resonate much better" with senior management.

While CIOs must continue to invest in innovative technologies for security prevention—including firewall and perimeter protection, improvements in application development, authentication solutions, and dashboards for senior management—they also must view security as a fundamental business matter.

The thorny issue is how to quantify the ROI of data security. Some analysts think it's futile to try. "Don't even bother to get out your calculator," says Fred Cohen, senior analyst at the Burton Group. Cohen compares justifying the value of IT security investments with attempting to determine the value of a college education—too many outside factors influence possible outcomes. "Without the benefits of repeatable experiments, measuring security benefits is problematic," Cohen says.

But Ponemon says his Institute has come up with a way to compute an information-security ROI. The formula is based on what he claims are quantifiable variables: the probability of a security breach; the economic impact of a breach on market reputation; customer and employee reactions, including employee turnover; litigation or regulatory actions; and stock price.

Ponemon completed 15 studies, including interviews with CIOs, CEOs, and corporate boards, in an attempt to define the economic value proposition for information security, data protection, and privacy. "Utilizing direct, indirect, and opportunity-cost components, our computational method typically shows an ROI that is very substantial," he says. Deploying security technologies under proper management and leadership, companies can achieve an average return of 112% of original investments.

While implementing technologies for a guaranteed return on security investments may be debatable, one tool CIOs could prioritize in their security efforts is the proper training of employees to help prevent and respond to security lapses. According to Brian McCarthy, chief operating officer (COO) at CompTIA, an IT industry trade association, nearly three-quarters of all breaches are committed because of human error. "The true measure of the value in IT security is not necessarily found in software solutions and technological advances, but rather in the training and certification of having the right person do the right job," McCarthy says.

In this year's CompTIA's third-annual benchmark survey of IT security and the workforce, 89% of 500 senior-level IT professionals said their companies experienced major security breaches that employees should have been able to prevent. "Most companies have an almost maniacal focus on software tools and technologies rather than on the people using them," McCarthy says.

Getting a proper team in place may help CIOs address breaches, but prioritizing security enterprisewide is still an uphill climb for many companies. "Some organizations are starting to realize the importance in not only having a good security team but spreading that awareness across the entire organization," says Khalid Kark, senior analyst at Forrester Research. "Some organizations see IT security strategically but most consider it part of the cost of doing business."

In determining an ROI for security, many companies rely on operational continuity—just staying in business—as the most fundamental way to assess its value. But by developing a proper response to breaches and positioning security as a business enabler, CIOs might go the next step and find a way to leverage security efforts for business advantage.

Have you used IT security to create business value? Tell us how at [email protected].

See Related Articles:
The Security Barrier To Mobile Computing, August 2005

The New Economics Of Information Security, April 2004

New federal guidelines ensure more security in online transactions

In October, the Federal Financial Institutions Examination Council issued guidelines to improve security for online banking by requiring additional layers of authentication by the end of 2006. The FFIEC said the industry must reduce fraud, inhibit identity theft, and promote a legal and secure environment for online transactions. Nalneesh Gaur, manager at DiamondCluster International Inc., spoke recently with Optimize senior associate editor Derek Top to explain what the guidelines mean for CIOs and the future of online security.

Q: Why were the guidelines imposed?

A: The FFIEC didn't consider IDs and passwords adequate. It believed that financial institutions should implement multifactor authentication using: