Business Benefits from Information Protection

Business Benefits from Information Protection

Cost-Effectiveness Figures in Move to Outsource Security

BY MICHAEL BRUCK



Special to the Business Journal

When you and your company purchase a piece of equipment, it is usually to do something faster, better, or cheaper.






This increased activity is usually measured in terms of dollars revenue the equipment will produce which in turn will produce a certain profit. Understanding how quick this profit comes as a result of the purchase will or will not justify that equipment. The measurement of return on investment is pretty clear.






How do you do this when you are trying to prevent something from happening? How is ROI measured on insurance policies? How is it measured on information security programs? What is adequate security?






These and similar questions are always asked by the C-level officers, especially the CEO and the CFO. Sometimes management of investments becomes a numbers game.






Without the numbers, the game is not played.






One way for companies to measure ROI on security programs is to analyze how much it will cost to perform and manage various security functions in-house compared with outsourcing. Some of the relevant issues in the area are related to personnel and technology implementation.






Is the expertise in-house? Can the company afford to hire the expert(s) as a full time employee/staff?






- Examine the Costs Of a Security Breach






The other measure, of course, is using opportunity cost as the cost component of justification. At a basic level, companies can lose sales and revenue can be significantly impacted with just one security breach. Consider not only the instantaneous revenue loss, but the loss of confidence by your customers, and in the security and systems that serve the customers.






The costs associated with security breaches can add up quickly according to the research firm Computer Economics. Their estimates for the Code Red Virus costs alone were over $2 billion in downtime and repairs.






Information Week Research reports that the cost of security-related downtime to U.S. businesses in the 12 months before Sept. 11, 2001 to be $273 million. Estimated worldwide, this number is an extraordinary $1.39 trillion.






The question at hand then becomes, what is the cost when an intruder hacks a Web site or has access to private and insecure data? Then, there are related costs: the help desk






calls when there are problems or emergency service. When a system goes down, calculate the number of minutes times the number of people not available and the costs go sky high. Ask a security manager his estimate of these costs and he will surely be low, justifying security measures even more.






Most managers will often cite lack of time, capital outlay, the cost of hiring and the need for training as financial challenges related to security management. Up-to-date technology, expertise and solutions are also issues.






These limited internal resources are often the factors that justify third party participation to manage information security within a company. It’s a costly struggle to have internal staffers monitoring the various detection systems, firewalls and other security programs in place, and this isn’t even in real time.






- Adequate Security Helps Insure Company’s Survival






For some companies, the costs involved aren’t just a matter of cost-effectiveness , it’s a matter of true survival. With the advent of dot-com companies failing and the source of venture capital diminishing, companies are more cost-conscious than ever.






Consider, when a company cuts back to 10-15 people, something has to give that is not a direct revenue producer. They then don’t have the time or resources to manage security continuously. Enter the third party and the justification gets easier.






Take a recent situation when a company outsourced security with a managed security services provider. The provider supplied a managed firewall, perimeter vulnerability scanning, VPN, intrusion detection, real-time monitoring and more.






After a few months into the arrangement, the company detected an intrusion. The attack was stopped. No problem.






It would have taken a team hours and days to figure out what happened had the security systems not been in place and had the cost of security systems not been incurred. This does not even include the cost of devising the appropriate solution.






How do you measure that in terms of return on investment? Another cost-related example is happening in the health care industry. Several factors exist to make security a priority, in a very cost-effective manner.






- Outsourcing Security Benefits from Expertise






Hospitals and medical centers are receiving less cash from Medicaid and Medicare reimbursements, making information-based systems even more intensive. With that comes new rules regulating patients’ privacy.






Health care companies must now prove that they can protect electronic patient information. Outsourcing of security expertise and implementation is the major business benefit to be realized in this situation.






There is a tremendous return on investment from outsourcing. Typically, companies can save money by staff reductions while cutting implementation and maintenance costs associated with information security programs. Gaining the expertise and up-to-date methodology is also something that any current or remaining staff in place can benefit from. It gets expensive having an in-house, non-expert dedicated just to monitoring networks. It’s just not as cost-effective in-house.






Security can be a hard sell and a not so black-and-white justification, especially in today’s world of budget cuts, but the answer sure gets easier when evaluating the costs of just one security breach.






Bruck is the founding partner of Bruck and Associates Inc., an information security consulting firm.