Toolbox: Security ROI Calculators

Feeling their customers' pain, providers of information security software, hardware and services, from the simple to the extremely complex, are creating return on investment calculators.

By Derek Slater

April 01, 2003 — CSO — So many products, so little budget. That's the common refrain in today's tight economic conditions, in security and every other area of corporate spending.

Vendors to the rescue: Feeling their customers' pain, providers of information security software, hardware and services, from the simple to the extremely complex, are creating "return on investment calculators." That's a fancy designation for a spreadsheet that helps identify hard money payback for buying a given product.

Palisade Systems' PacketHound is a network management appliance that allows users to measure and (if desired) limit or block particular types of network traffic. So its ROI calculator helps identify the costs associated with "bandwidth-hogging applications" such as Napster-like music-swapping services. This is one of the simplest return on investment toolsit bases its results on just three variables. Jump on the website (www.palisadesys.com), plug in your connection speed (T1 for example), approximate cost bandwidth and percentage of bandwidth that's being eaten up by such applications (which you can estimate using a free tool called PacketPup). Push the button and up pops your putative savings for freeing up bandwidth with PacketHound.

At the same time, Palisade's materials prod CSOs and network managers to consider additional costs not covered by the ROI tool: liability, lost productivity and security exposures.

Another simple example of an ROI calculator promotes Kensington's MicroSaver cables for locking up laptops and desktop PCs, based on the cost of hardware theft or loss. Find the details at www.microsaver.com.

Radware's FireProof multifunction hardware device is a slightly more complex product, with a more elaborate ROI calculator to match. FireProof incorporates intrusion detection, denial-of-service protection, mail filtering and other security functions. The online ROI tool is accordingly broken into several different segments, including the costs of downtime, intrusion detection system deployment and application security. The URL is www.radware.com.

Lumeta offers a sophisticated ROI aid for its Discovery Suite network management tool at www.lumeta.com. Lumeta's software helps big companies with asset discovery and management; the calculator identifies eight areas for possible payback, including reduced risk of infosecurity breaches, server consolidation and reduced downtime.

And at the very high end of the complexity spectrum, there's the identity management study (and resulting total cost of ownership and ROI tools) from Gartner, commissioned by a set of identity and access management (IAM) vendors. IAM systems are an expensive enterprise selland helping corporate management realize that up front actually helps set realistic payback expectations. "I think the study opens management's eyes in two areas. One, the magnitude of opportunity for improvement, and then also that the cost of implementation is greater than they anticipate," says Norm Barber, managing director of ID management practice at Protiviti, one of the study's sponsors (www.protiviti.com). Full deployment can extend to two or three years for big IAM projects, Barber says, but the payback can begin within the first year.