Home » Security Leadership » Metrics/Budgets

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four: TCO, ROI, EVA and ALE.

By Michael Fitzgerald

Page 2

"ROI is misleading because people don't understand what they're trying to accomplish. Look at the benefit you want first, then the ROI," Hunt says.

Security costs can be vague. "It's not like you can walk into your local shop and say I'd like two pounds of security and a half pound of infosec on top," says Luke McConoughey, managing partner at My CSO Network, a managed security firm in Chandler, Ariz. McConoughey says potential customers frequently ask him what their return on investment will be. He doesn't think ROI numbers work well in security, and he tends to counter with a discussion of their likely losses if they don't invest in security services. Even though he prefers measuring losses, he concedes that unless a firm has recently experienced a breach of some sort, measuring costs becomes an exercise in "throwing darts at a dartboard."

ROI tends to be easiest to calculate after an incident. That's when costs tend to be clear. Otherwise, it's tough to quantify the potential around losses, says Anthony Hernandez, managing director of the information risk management practice at Smart business advisory and consulting in Devon, Pa. He notes, for instance, that it was difficult to say what companies would get in return for spending on HIPAA compliance. Regulations like Sarbanes-Oxley and the more recent Payment Card Industry (PCI) measures held clearer benefits because firms would be heavily penalized for not proving compliance. In the case of PCI, he's seeing companies receive fines of $25,000 a month. It's also possible to measure what breaches will cost, thanks in part to incidents like those at TJX, which paid $100 million in fines and another $156 million to resolve lawsuits. It would be harder to say whether TJX suffered any intangible costs, like loss of goodwill (sales actually rose in the wake of the breaches).

Note that there's also another measure, ROSI (return on security investment), which works by taking the expected security spending and subtracting any expected annual loss (see ALE, Page 39).

TCO (Total Cost of Ownership)
An alternative to ROI is to figure the total cost of ownership (TCO) for a security investment. The measure just by its nature focuses on a cost, not a potential return, which meshes well with security spending. Kenneth Tyminski, the former CISO at Prudential Financial and now a consultant in Havelock, N.C., says his firm preferred TCO to ROI because it was obvious that for something like antivirus, the firm had to adopt the technology, but was not likely to see a financial return
for the investment. So looking at costs
made the most sense. Tracking TCO also helps in practical ways, Tyminski notes. "After a couple of years," he says, "the cost of operating a tool or piece of hardware can be a lot higher than just buying new equipment."