| Now or later? Security and ROI |
|
|
|
| Friday, 23 June 2006 | |||||
 Many people talk about the "Return On Investment" [ ROI ] when
discussing many aspects of business, especially in regards to hardware
and software procurement. Today we see standard ROI formulas trying to
be applied to things like IT security. There are many different
formulas for calculating ROI, but one of the toughest is the ROI on
security, or "Return on Security Investment" [ ROSI ]. The biggest hurdle in these formulas is the fact that security is not something easily perceived or tangible in standard business terms. Slightly secondary is a Catch-22... since you have spent X$ on security you have not been hacked, because you spent X$ amount to prevent it. From the perspective of someone who has successfully penetrated the defenses of a network through Penetration Testing, I can say that you don't know until it happens. The need to properly assess protective measures like Vulnerability Assessments and Penetration Testing come into play as much as traditional security products and services. There is no denying the fact that despite todays increased awareness of the need for good security, there really is not a corresponding drop in the number of defacements, data breaches and other intrusions. One thing you hear often is, "why would someone want to hack my company?"... The answer here is amazingly simple and much like the old saying... Q. "why climb that mountain?"
A. because it's there. The fact is you are prone to possible, and successful attacks because you are in the age of information and electronic interconnectivity. Just because you might not be a BIG JUICY TARGET does not mean you are intrinsically safe. Hackers [ crackers ] generally penetrate systems for a handfull of reasons: Fun and bragging rights Challenge Skill development Destruction Denial of service and spam bots Data Theft What price can be put on your reputation, the loss of confidence of your business partners, your clientele, the publics perception, or losses from lawsuits because of a data breach as well as the losses of cleaning up after an attack. I can guarantee it will be much higher than the investment on pro-active security measures you could have taken before an incident.
When trying to determine ROSI, business needs to listen to security staff on what implementations may help. Things like Vulnerability Assessments and Penetration Testing need to be just as much of a priority as your firewalls, IDS and other tangible security assets. If higher ups were to listen and spend the money on what is needed to help prevent these issues, the benefit from acting now rather than later is priceless when they see that they were able to prevent a possible multi million dollar loss. Taking the time to re-think your security posture, procedures and other areas that pro-active security investments bring, can help you bring ROSI into an obvious, positive business investment. Putting it into laymans terms, business confidence brings increased productivity, which is one of the fundamentals of being successful in todays markets.
Powered by a Zone-H(ified) version of AkoComment 3.0! DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice. |
|||||
| < Prev | Next > |
|---|
