Home » Security Leadership » Metrics/Budgets

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four: TCO, ROI, EVA and ALE.

But TCO is also not a cut-and-dry measure. While the purchase cost or ongoing contract costs will be clear, figuring out less-obvious spending is harder. How much will it cost to install a product, for instance, or how much time will a systems administrator spend managing it? Still, working out these numbers can help illustrate how much it costs to roll out a technology, which is often more expensive than buying the technology itself.
For Tyminski, TCO helped him justify buying a new intrusion prevention system. Using maintenance costs, the salary of a dedicated staff person and the need for frequent and time-intensive upgrades, it became clear that the old system had become too costly to operate. So "we built a business case to say we had to buy a new technology," he says.
William Bell, director of security at EC Suite, an ISP and e-commerce provider in Tempe, Ariz., says he uses TCO measurements in conjunction with expected likely losses (see ALE, Page 39) to help justify expenses on security. He says that the main challenge with TCO is "it's hard to know what your total cost of ownership is before you make an investment, even if you have an evaluation period."

Bell will measure the time system administrators need to spend with the product, how much time it will take to install or migrate to a software package, what the product itself costs (both up front and for maintenance or support) and how much time its help desk will spend doing hand-holding.

While it's imprecise, he says that if he can give management a good sense of how much a security issue costs the firm and how much it will spend to solve the problem, that's usually enough data to make a good decision for the firm.

Thomas Browning, vice president of compliance and CSO at Allied Barton Security Services, says he uses TCO to make decisions on things like whether to buy or lease cars for security services provided to places like malls, and also for whether to buy weapons or have the client pay for weapons on contracts that require them.

"If I need to outsource a service, say, a database for a compliance initiative I'm working on, I have to ask myself, OK, is it cost-efficient to contract out or should I just go out and purchase?" he says.

Marc Shapiro, senior vice president of Group 4 Securicor, the parent company of Wackenhut, says the firm is seeing more CSOs look for metrics, primarily TCO. "They're more cognizant of the fact that they're under scrutiny, and they can't just arbitrarily spend the money."