October 30, 2005

Web Security ROI

by Brian Turner

If you're new here, you may want to subscribe to my RSS feed. Thank you for visiting!

Web Security ROI

In 2003, following the IT business downturn and slumping stock market, many companies were tightening their IT budgets. This meant instituting new policies in terms of what is financially best for the company; i.e., the company’s ROI. The new policies could include layoffs, in which case, this would mean that systems administrators, PC technicians and web-masters would be assuming new duties, like, for example, web security.

How does one go about computing web security ROI? Generally speaking, it involves determing the money you might lose should
an attack on your proprietary data occur, and then comparing that sum with what you will be spending on security measures. This equation would include security hardware, software and the salaries of IT personnel.

Let’s look first at your IT security personnel. (Although, if you’re self-employed, you might want to increase your own knowledge of security methods.)

What makes a good security person? Some businesses actually wonder why a security person is necessary at all. If all the servers are secure, with all unnecessary ports closed, the firewalls in place, the anti-virus installed, etc, what else is there to do? Well, for one thing, servers need to be constantly monitored, and there needs to be technicians available
for response to security breaches.

On the other hand, your accountants may well wonder how network security management, including firewalls and other measures, can be justified since they don’t directly produce income.

Well, that makes a good question, but is there any way of computing just how much money security saves us?

The answer is a resounding:”No.” There are no actuarial tables for computing direct losses that will be sustained by companies because of security flaws in software or server operations like data backups. Instead, other methods that don’t directly involve statistics have been applied to determine
loss.

For example, suppose your database full of credit card numbers was pilfered? That could damage your company’s reputation, especially if some of the card holders decided to sue for damages. You can’t quantify, before the theft occurs, exactly what your losses would be. This is partly because “reputation” is a subjective entity, and partly because you can’t predict
who would sue and for how much.

Statistics can show, generally, that software bugs and security holes are probably the main reason for hackers being able to penetrate your system. (Software developers often don’t concern themselves with security, except as an afterthought.) On the other hand, most purchasers of off-the-shelf software programs don’t have the time, money or knowledge to test each application for bugs. Instead, the purchaser must continually be made aware of software bugs as they are detected, and the proper patches then need to be applied.

Of course, you can see headlines that “computer crime cost US businesses five billion dollars last year”, but those figures are strictly estimates, since many companies don’t want to have such losses made public. So without figures to back you up, how do you put a competitive price on your services?

Well, there are these viable factors to consider:

You can always use FUD (Fear, Uncertainty and Doubt) to sell your security services to accountants, management or your clientele. This kind of paranoia can’t be itemized, but it does have a basis in truth. (For example if you show your clients the newspaper headlines about the 13 root servers that were attacked in October, 2002). Of course, you’ll still need to provide some statistics to close the sale. Most of them will be aware of security concerns and you can try to convince them that an ounce of prevention is better than, etc.

Additionally, make them aware of the general effects of cautious monitoring. Let them know that if they sign with an ISP with a well-designed security plan is worth the extra cost. Insisting on security warranties with all software or hardware purchases, or at least an alerting service via email of new threats and patches is a relatively low cost way of security.

If all of a sudden, you’ve been told you’re in charge of security because the security contractors have been cancelled, don’t panic. If you have good analytical thinking skills, if you can break a problem up into parts, if you can be calm in a crisis, and if you understand the business that you’re trying to protect, then learning how to set up an access control list on a router will be secondary and easy. You don’t necessarily need to have a vast background of knowledge to be a good security manager. You don’t have to be overly-suspicious, but you do have to be detail-oriented and concerned about the welfare of your company. (On the other hand, if you own the company, you probably already feel this way about it.)

You don’t have to be paranoid, but you must have the ability to make snap judgments under pressure. (If you like to solve puzzles and read mystery novels, then you probably already have the right attitude.)

Don’t be so secretive that you don’t share the details with key business managers. On the contrary, communicate with them regularly, both by email and in person.

Don’t lock everything up on the network so tightly that you limit access to necessary files and applications. (This will annoy your users immensely.) Don’t give your users any more rights or access than they need to perform their duties. (If you do so, and then you have to take away some of their rights, they will be very upset!)

Above all, know the business that you’re protecting: its products, its services, its personnel and its customers.

Questions? Discuss this in our Internet Business forums for help and advice

Story link: Web Security ROI

Add to Bookmarks: