Assessing the value of security

Determining the ROI for security expenses requires a combination of horse sense and due diligence

Just about any executive has heard or read about a company that suffered some horrific loss—excessive downtime, lost or stolen data—as the result of a security breach. Such stories can be eye-opening, but they don’t provide the kind of hard return-on-investment numbers that companies sorely need to justify security expenditures.

It's something of a Catch-22: You could buy every security technology under the sun, but nobody can guarantee you’ll be 100 percent protected. If you don't spend money on security, who's to say you won't go on unscathed anyway? Yet the consequences of a breach can be dire. Consider CardSystems Solutions, the credit card processing firm that in June suffered a major security breach that ultimately cost it two major clients, Visa USA and American Express. Facing possible bankruptcy, the company was sold late last year.

Regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA) are forcing the hand of some organizations to reassess their security needs. Beyond that, experts and users agree that determining the appropriate level of security in any organization requires a largely commonsense risk assessment to determine which assets are most valuable, and then spending accordingly to protect them.

Assessing risk

"You've got to look at what kind of business you are, what kind of information you collect on your computers, and then make the determination from there," says Eric Ottaway, chief operating officer at Brooklyn Brewery in Brooklyn, New York. The most sensitive data his company has is payroll information, which is outsourced to a payroll processing firm, "so we don’t have a lot of super-sensitive data around," he says.

Neil Rosenberg, a Certified Information Systems Security Professional (CISSP) and president and CEO of Quality Technology Solutions, a Microsoft Gold Certified partner in Morris Plains, New Jersey, urges companies to "look at what the impact would be from loss of data, or the inability to process data." Rosenberg recalls one customer that had no patch management methodology and got hit with a worm that infected 300 computers. "It took the whole IT department five business days to clean out the worm," he says. "That’s pretty translatable to a hard cost."

Microsoft has some free tools that can help in the security and risk assessment process, according to Mike Nash, corporate vice president of Microsoft’s Security Technology Unit. The Security Assessment Tool can help companies with fewer than 1,000 employees identify processes, resources and technologies to promote good security planning and risk mitigation practices. Additionally, Microsoft’s Security Risk Management Guide explains how to conduct each phase of a risk management project, including determining the acceptable level of risk for your organization.

At the very least, we recommend that organizations conduct a risk assessment once a year. Microsoft's Mike Nash Corporate Vice President, Security Technology Unit

Companies will have to reassess their risk level with varying frequency, with those at highest risk assessing more often. "At the very least, we recommend that organizations conduct a risk assessment once a year," Nash says.

Top of page

The fundamentals

Most any company will find that a good firewall and antivirus software are essential. Shawn Partridge, director of information services for Cascade Die Casting Group in Grand Rapids, Michigan, says that it costs his company about $2,000 each year to renew its antivirus software. "But if we get a virus, it could be one machine [or] it could be 200, so there’s no way to put a dollar value on it," he says. "It’s a cost of doing business."

Equally fundamental, but often overlooked, is a solid patch management system, Rosenberg says. That means not just software, but also patch management processes that ensure you’re continually addressing vulnerabilities. "You really have a two-week window or less," he says, between the time a vulnerability is discovered and when you need to apply the patch, lest your risk gets unacceptably high.

Here again, Microsoft offers some help, including the free Windows Server Update Services patch management tool. Another free tool, the Microsoft Baseline Security Analyzer, helps determine whether an organization’s security state is in line with Microsoft security recommendations, Nash says.

Top of page

'How much would you pay?'

Beyond such must-haves, companies are finding other ways to make an ROI case for certain security tools. One example is a single product that can replace multiple products, says Andrew Jaquith, a senior analyst with the Yankee Group consultancy in Boston. Web application firewalls from vendors such as F5 Networks and NetContinuum, for example, "not only protect Web servers, they also load balance [and] perform SSL acceleration, cryptographic key management and other sorts of things," Jaquith says. "So it’s pretty straightforward to make the Ronco argument: 'It slices, it dices, it chops. Now, how much would you pay?'

Another strategy is to define the fair value exchange, Jaquith says. If you buy a product that allows you to displace some number of full-time employees, then you can calculate its value based on the salary and benefits you’re displacing. You only realize the value, however, if you are willing to lay off or reassign the affected IT personnel. Many organizations never take that step, he says, and thus don’t save anything.

Cascade Die Casting, however, did realize a fair value exchange when it installed the Network Engines NS6300 Firewall Appliance, which runs on Microsoft Internet Security and Acceleration (ISA) Server 2004. The NS6300 is proving far easier to manage than the appliance it replaced, saving Cascade about five hours per week in administrator time. "In a two-man shop, that’s significant," especially when they’re supporting 350 users, Partridge says. "We were able to take the time we were spending on managing and maintaining the firewall and use it on R&D for new system advancements."

Top of page

Improving the infrastructure

Security concerns can help companies make an argument for network infrastructure upgrades, including a move to Microsoft Windows Server 2003, which, says Rosenberg, "is designed to be more secure and easier for IT staffs to maintain a reliable and secure platform."

Nash notes that newer versions of Microsoft software have gone through the company’s Security Development Lifecycle (SDL) process, making them less susceptible to vulnerabilities. Earlier this month, the latest threat to Windows XP, known as the Windows Meta File (WMF), caused much consternation about the ability to quickly implement security fixes. Nash says that when a vulnerability that threatens customers is found, the Microsoft Security Response Center mobilizes several specially focused teams to investigate the vulnerability and provide protection to customers. Microsoft then determines how it can update the SDL to prevent the error from occurring in the future, and to learn how to protect new products against similar threats. Microsoft’s SDL is a constantly evolving process that is updated every six months.

Jaquith says that vulnerabilities don’t necessarily equate to risks, because some of them have a low likelihood of ever being exploited. So, rather than counting vulnerabilities, he suggests that users would be better served with empirical data that shows, in particular environments, the overall risk profile and how newer software versions reduce the amount of labor spent on patching and cleanup.

Companies can—and should—take their own steps in that direction by keeping close tabs on the effectiveness of all their security efforts, Nash says. "The ability to show improvements and demonstrate the business value of your security investments will help to justify spending and help ensure funding for future security initiatives," he says.

Top of page