Valuing Your Security and Compliance Investment

Security has been traditionally viewed as a drag on an organization, a cost with no real benefit. Lately, this view is being turned upside down by the disturbingly frequent incidents of data misuse and data thefts being reported. Whereas in the past an organization could have weak controls around their data and suffer quietly in case of a data breach, this is no longer acceptable. Organizations need policies and safeguards to assure compliance, turn policy into practice, reduce the number of harmful incidents, and increase the likelihood that an incident will be detected.

This implies a need to invest in security and compliance, both in people and technology. The issue remains, however, of understanding the benefit that accrues.

First, a look at the downside

Database intrusions and data thefts have been making headlines more and more lately. The now infamous TJX data breach occurred over a period of several years but was just brought to light at the beginning of this year. It has been tagged as the largest data theft to date.

Another Massachusetts-based company, BJ’s Wholesale Club, suffered severe ramifications as a result of data thefts that occurred in 2005. A Federal Trade Commission (FTC) investigation found that the company did not adequately protect the personal information of its members which resulted in tens of thousands of credit card numbers being stolen by hackers.

Citigroup, DSW Shoe Warehouse, Bank of America, Time Warner, Lexis Nexis, Ameritrade, and many of others have gone through similar ordeals and suffered similar consequences.

The costs of doing nothing can be high

In addition to the specific incidents mentioned above, consider some other data points that can quickly add up:

• Costs to companies responding to data breaches can include disclosure/notification costs, customer satisfaction costs (e.g., offering free credit reporting services for a year), public relations expenses, settlement expenses (e.g., with the FTC), legal expenses, fines, increased fraud/security staffing, fraud loss and prevention, IT audits (e.g., FTC-mandated or proactively identifying vulnerabilities requiring remediation), new technology, and associated staffing

• There is no single number that captures aggregate costs across all incidents, especially since the incidents can vary dramatically:

o Laptop theft

o Backup tape loss

o Physical server theft

o General email phishing attacks

• The per-person cost of offering free credit reports to impacted individuals for a year is estimated to be $80-$100 and above in volume; for an incident such as Fidelity’s laptop loss, that alone represents around $15-$20 million

• Reissuing credit cards costs to affected consumers can cost the issuer about $10 per card

• FTC settlements may include fines to the tune of several million dollars and the requirements to implement stronger data security controls and submit to external IT audits for periods up to 20 years, or even other requirements such as creating trust funds

Thus, technology security solutions can provide much more than just data protection. They can also prevent loss or exposure of sensitive data and tangible returns on corporate budgets. In addition to direct cost savings, companies need to look for solutions that can mitigate risk, protect their corporate brand and preserve market value.

But how do you realize what you pay for when it comes to a security investment?

One answer is easy. Avoiding one serious security incident will immediately justify what you paid for your security solutions – whether it be $2,000 or $2 million. This point has been eloquently demonstrated at some of the companies named above.

The real question then becomes, “How do I maximize the benefits of what I have invested in?”

Justifying the cost of technology

Technology plays a key role in meeting the various requirements – indeed, some elements of a strong data protection regime are simply not possible without technology (e.g, detecting out-of-policy activity). Here are some of the ways in which deploying technology can have knock-on effects in reducing other costs:

• Reducing manual effort: automated systems can perform many of the activities otherwise performed (or at least attempted) by humans. To use an example from the database world, database auditing systems can capture user activity, test it against policy, identify suspicious activity, alert the responsible investigative team, and create and distribute reports.

• Redeploying precious personnel: many IT organizations are operating with a staff load insufficient to carry out their organizational goals, and managers are loath to use these highly skilled resources on “overhead” tasks rather than activities that support the growth of the business.

• Reducing audit costs: auditors generally subject automated controls to fewer tests than manual controls.

• Reducing risk and exposure: Manual controls are subject to the vagaries of all human activity: they are error-prone, relatively slow, and subject to “social engineering.”

• Faster forensics and investigations: when auditors, regulators, and investigators ask for reports and accounts of what happened, automated systems dramatically reduce the time to consolidate, cull, and present the relevant information.

• Better litigation posture (both defensive and offensive): according to litigators with whom I have spoken, it is powerful for them to present security-related information gathered and synthesized by automated systems that are in place as part of the normal operation of the business.

• Integrating best practice into standard business operations: this has formed part of the basis for the FTC rulings regarding poor data protection.

Real world justification

Security investments are notoriously difficult to justify using traditional means, as they do not typically have a measurable effect on the revenue side. But we can offer the following data.

Lumigent conducted a survey with several major enterprises, including financial services organizations, that detailed the financial justifications of their IT security deployments. The survey revealed that a comprehensive database auditing, compliance and security solution provides tangible cost savings that more than offset the investment. The organizations in this study achieved an average ROI of 103 percent, an IRR of 69 percent, and a payback period of less than 11 months from their deployments.

In addition to the direct cost savings, the companies indicated they also gained major benefits to their organizations in the areas of risk mitigation, brand protection, and preservation of market value.

So, whether you subscribe to the view that avoiding one major security incident pays for an IT investment or that ROI comes from tangible cost savings in other areas of operation, it is evident that, in today’s data-sensitive climate, automation of stronger data protection practices has gone from a “nice to have” to an essential activity.

Dr. Murray Mazer is Co-Founder and Vice-President of Lumigent, a leading software company specializing in database auditing for compliance, security, and risk management. Murray works with Lumigent’s most strategic partners and customers. Murray contributes thought leadership on compliance and best practices to the IT compliance and security communities through presentations, articles, interviews, and other activities. A former Rotary International Scholar and reformed thespian, Murray received the Ph.D. in computer science from the database group at the University of Toronto, where he was elected Junior Fellow at Massey College and Trinity College.

Copyright © 2007 IDG Communications, Inc.

8 pitfalls that undermine security program success