Security and Business: Financial Basics

Financial metrics have bedeviled CSOs from the start. How do you justify spending on something that isn’t designed to increase the bottom line? The fear factor exists, and yet explaining why bulletproof glass is worth more than Plexiglas still requires numbers. With a recession hovering over the United States like some black helicopter, there will be still more pressure to measure what security spending brings to a company. One big challenge is that the data rarely is simple to pull together. And even though there are now tools like Agiliance, which makes an ROI calculator for information security expenditures, the devil is still in the data.

Here are four well-known metrics and measurement components that, if used properly, can help put the impact of security spending in the financial perspective companies need.

ROI (Return on Investment)

It’s a classic business expectation that if you invest money in something, you can measure the return on your investment by its impact on the bottom line. But understanding the value of security spending presents challenges, since the tension that exists in most branches of IT is that investment does not usually lead directly to profits.

For security spending, the problem is bigger: If investing in security works, nothing happens. But what if nothing would have happened anyway?

“[The trouble with] trying to calculate ROI on security tools is that they destroy the proof of their effectiveness simply by doing their job,” says Ross Leo, CEO of Alliance Group Research, a security consultancy.

So ROI has become a somewhat loose measure of how long it will take to recoup the cost of investing in security. It is not a perfect measure, which may be why its usage appears to be dropping.

Some 42 percent of organizations polled in the 2007 Computer Security Institute Computer Crime and Security Survey said they used ROI to measure their information security investments. That was up from 39 percent the year before, but well below the 55 percent who reported using it in 2004. Other common measures: 21 percent of respondents said they used internal rate of return measures, and 19 percent used net present value.

ROI can be straightforward for some aspects of physical security. Craig Chambers, CEO of Cernium, which makes software that analyzes videotape, says at a minimum, his firm’s tools mean companies can hire fewer security guards, creating obvious savings on salary and benefits.

But it’s rarely so straightforward to calculate savings. Some of the problems with using ROI:

Strict adherence to ROI may cause companies to pick the wrong technology to save money. For instance, a firm might find that inexpensive surveillance cameras are not as effective as ones that include built-in analytical tools, but a strict focus on ROI will seem to show a better payback for an inferior product, says Steve Hunt, a security consultant in Evanston, Ill.

“ROI is misleading because people don’t understand what they’re trying to accomplish. Look at the benefit you want first, then the ROI,” Hunt says.

Security costs can be vague. “It’s not like you can walk into your local shop and say I’d like two pounds of security and a half pound of infosec on top,” says Luke McConoughey, managing partner at My CSO Network, a managed security firm in Chandler, Ariz. McConoughey says potential customers frequently ask him what their return on investment will be. He doesn’t think ROI numbers work well in security, and he tends to counter with a discussion of their likely losses if they don’t invest in security services. Even though he prefers measuring losses, he concedes that unless a firm has recently experienced a breach of some sort, measuring costs becomes an exercise in “throwing darts at a dartboard.”

ROI tends to be easiest to calculate after an incident. That’s when costs tend to be clear. Otherwise, it’s tough to quantify the potential around losses, says Anthony Hernandez, managing director of the information risk management practice at Smart business advisory and consulting in Devon, Pa. He notes, for instance, that it was difficult to say what companies would get in return for spending on HIPAA compliance. Regulations like Sarbanes-Oxley and the more recent Payment Card Industry (PCI) measures held clearer benefits because firms would be heavily penalized for not proving compliance. In the case of PCI, he’s seeing companies receive fines of $25,000 a month. It’s also possible to measure what breaches will cost, thanks in part to incidents like those at TJX, which paid $100 million in fines and another $156 million to resolve lawsuits. It would be harder to say whether TJX suffered any intangible costs, like loss of goodwill (sales actually rose in the wake of the breaches).

Note that there’s also another measure, ROSI (return on security investment), which works by taking the expected security spending and subtracting any expected annual loss (see ALE, Page 39).

TCO (Total Cost of Ownership)

An alternative to ROI is to figure the total cost of ownership (TCO) for a security investment. The measure just by its nature focuses on a cost, not a potential return, which meshes well with security spending. Kenneth Tyminski, the former CISO at Prudential Financial and now a consultant in Havelock, N.C., says his firm preferred TCO to ROI because it was obvious that for something like antivirus, the firm had to adopt the technology, but was not likely to see a financial return

for the investment. So looking at costs

made the most sense. Tracking TCO also helps in practical ways, Tyminski notes. “After a couple of years,” he says, “the cost of operating a tool or piece of hardware can be a lot higher than just buying new equipment.”

But TCO is also not a cut-and-dry measure. While the purchase cost or ongoing contract costs will be clear, figuring out less-obvious spending is harder. How much will it cost to install a product, for instance, or how much time will a systems administrator spend managing it? Still, working out these numbers can help illustrate how much it costs to roll out a technology, which is often more expensive than buying the technology itself.

For Tyminski, TCO helped him justify buying a new intrusion prevention system. Using maintenance costs, the salary of a dedicated staff person and the need for frequent and time-intensive upgrades, it became clear that the old system had become too costly to operate. So “we built a business case to say we had to buy a new technology,” he says.

William Bell, director of security at EC Suite, an ISP and e-commerce provider in Tempe, Ariz., says he uses TCO measurements in conjunction with expected likely losses (see ALE, Page 39) to help justify expenses on security. He says that the main challenge with TCO is “it’s hard to know what your total cost of ownership is before you make an investment, even if you have an evaluation period.”

Bell will measure the time system administrators need to spend with the product, how much time it will take to install or migrate to a software package, what the product itself costs (both up front and for maintenance or support) and how much time its help desk will spend doing hand-holding.

While it’s imprecise, he says that if he can give management a good sense of how much a security issue costs the firm and how much it will spend to solve the problem, that’s usually enough data to make a good decision for the firm.

Thomas Browning, vice president of compliance and CSO at Allied Barton Security Services, says he uses TCO to make decisions on things like whether to buy or lease cars for security services provided to places like malls, and also for whether to buy weapons or have the client pay for weapons on contracts that require them.

“If I need to outsource a service, say, a database for a compliance initiative I’m working on, I have to ask myself, OK, is it cost-efficient to contract out or should I just go out and purchase?” he says.

Marc Shapiro, senior vice president of Group 4 Securicor, the parent company of Wackenhut, says the firm is seeing more CSOs look for metrics, primarily TCO. “They’re more cognizant of the fact that they’re under scrutiny, and they can’t just arbitrarily spend the money.”

He says that measuring TCO can help firms realize just what they’re spending, and for what. Ideally, he likes to contrast those with the potential losses, but even in the physical security world, annualized loss estimates “are difficult to get,” he says.  EVA (Economic Value Added)

The best-known version of EVA was developed and trademarked by Stern Stewart and offers a way to measure financial performance for business units. It was not developed for information security. In fact, it’s meant to be a metric that shows financial return, which may be why it was the least known of the financial metrics tools in this round-up. Still, it has applications in IT, in particular as a way to examine whether a company got whatever financial returns it expected out of an investment in security.

“I’ve seen EVA in very limited exposure in infosec,” says McConoughey, noting EVA usually appears in support of purchasing a security service.

To use an EVA in a practical way, one should take numbers used to generate things like total cost of ownership, ROI and the annualized loss expectancy, and compare them to actual costs, looking at factors like what it would cost to implement and support them.

Alliance Group Research’s Leo prefers using EVA to something like ROI. In part, that’s because firewalls and locks don’t really appreciate in value after they’re purchasedthey aren’t those kinds of assets. Using EVA can help quantify whether security spending increases the value of a company by measuring what it’s worth for a company to avoid things like security breaches. The latest CSI survey showed that the average security breach costs a company more than $350,000, which is more than double 2006’s average of $168,000. While these numbers represent averages, they can help to show what costs companies incur for not using security services, giving a sense of the value of

security spending.

There’s also a less proprietary EVA, earned value analysis. That’s from the project management world and is used to look at budgeted cost, actual costs and the value of the work performed. That’s the method used by John Linkous, who is the governance, risk and analysis evangelist at eIQNetworks.

Linkous says that both EVA and annualized loss expectancy (ALE) are more formal measures than either TCO or ROI, which he calls “a little more voodoo science.” He says that the other problem with TCO and ROI is that they are often used to justify decisions, rather than inform them. While an EVA can also be fudged, he says that it’s harder to do.

ALE (Annualized Loss Expectancy)

Just the acronym alone should make this popular. And indeed, for many CSOs, calculating annualized loss expectancy provides a useful measure that can help set spending priorities for security. ALEs, for instance, are a way to measure the likely impact of security spending, drawing on existing data around everything from laptop theft to security breaches. Some organizations use similar measures, such as NIST’s FIPS (Federal Information Processing Standard) 200. The aim is to assess specific assets, then put a number to the risks they attempt to counter.

Jill Knesek, CSO of BT Americas, says she has stopped using ROI and TCO when talking to her CFO. She felt that the numbers were being driven by “Chicken Little’ kind of stuff,” like potential natural disasters, she says. More useful are ALE estimates based on the company’s historical data on incidents and related customer loss, brand damage and potential fines. In fact, BT tracks 20 major risks on an ongoing basis, and Knesek uses these numbers to build a risk matrix and presents that to management, framing the conversation in terms of risk exposure and risk appetite.

Knesek acknowledges that even with ALE and risk matrices, there is still a bit of prophecy to the numbers. But she thinks that overall, it works, and the ability to predict risk gets better with each year of data.

The trouble is that ALEs pale for some types of security. Security consultant Hunt, for instance, warns that “ALEs are just irresponsible, wild guesses in almost every case” when it comes to information security.

Yet even Hunt concedes that for some things, you can figure an ALE. For instance, it’s clear what it costs to replace a laptop or a car, and actuarial tables clearly show what kind of loss to expect from, say, earthquakes. Less helpful is looking at the ALE for a firewall. You know that if you don’t have one, “bad things are going to happen,” says Hunt.

So why bother calculating an ALE? Because ALE, used over time, can show that you’re getting something for your security spending, says Bart Lazar, a partner at the Chicago law firm of Seyfarth Shaw.

EC Suite’s Bell says that for specific risks ALEs works reasonably well, using measures like predicted rate of occurrence for things like attacks and hardware thefts. He looks at the actual cost as well as opportunity costs to build a loss expectancy for a year. Then he uses the cost of that potential loss to say, “If I’m going to put this protection in place, how much am I willing to spend to try to prevent it from happening, or to decrease my rate of occurrences?”

To justify adding a whitelisting application, Bell collected numbers on how often his staff had to deal with cleaning up infected PCs, how much it cost in terms of staff time or even needing to replace machines that were hopelessly infected. Then he boiled it down to “this is how much it’s costing us, and this is how much we’re going to spend to fix it.” In that case, he got approval for the whitelisting application, and says it met its projected return in eight months. ##