General 4min de Leitura - 31 de August de 2016

ROI Calculation on Security Projects

Homem utilizando calculadora e notebook para fazer cálculo de ROI

This post is also available in: Português English Español

There are information security projects of the most varied sizes and budgets, and the greater the maturity of companies in the theme, the greater their control over the variables that ensure the viability of a project. The budget is important, but not necessarily restrictive.

However, if we analyze a market of small and medium-sized companies, which also need adequate security for their business, there is a greater difficulty in making this kind of project feasible, since the return is usually not materialized properly by team members, at the helm of the projects.

Because there are no metrics, the ROI rating is actually greatly impaired. Thus, in this post we will introduce or reflect on some items used by technology managers, facilitating the approval of budgets, as a basis for their economic viability.

Why information security?

Perhaps one of the first questions to be answered is associated with the reasons why companies need information security. The reasons are diverse and complementary.

Many companies purchase security due to the need to comply with regulatory requirements and other conformities required by the sector in which they operate. In these cases, the value of security is well rooted in the need to protect information, in both storage, handling and transit.

This means that for some segments, such as financial institutions, there is a natural market pressure that forces the processes and maturity of information security (whose tangible, among many things, is the money) to be greater, both for protection and for availability of information.

For logistics companies or retailers, where the business is fairly spread, the most important pillar of the projects is probably the availability of information, especially between branch and head offices, since it is natural that management systems, inventory information, credit and so many other resources, are validated by the parent company.

A very different view can be found in medium and small businesses, where the security maturity as to the confidentiality and integrity of the information is not so evident, or the risks and losses resulting from a leak are apparently not relevant.

For these companies, information security can be much more related to employee productivity when using the internet, avoiding time spent on websites or content unrelated to the purpose of the business. The security product or project, therefore, has a purpose of internet availability, access visibility and possible flexible controls that reduce productivity bottlenecks associated with improper use of the network.

Of course our goal here is not addressing all the reasons why information security is important, but bringing an overview that the same security product, or project, will meet different expectations depending on the type of business. Knowing this is extremely important in order to define the metrics to be used for calculating return on investment.

What is the cost of misusing the internet?

We have a post covering this subject, which you can view by clicking here. However, in a nutshell, you need clear criteria on how much the misuse of the internet costs, either because of the lack of control, or the problems associated with distracting from inappropriate content, which end up affecting productivity.

This can be a fundamental metric to justify the feasibility of a security project whose main objective is to increase productivity, or firstly know what is accessed, to define the appropriate usage profiles that meet the expectation of the company, as well as the employees.

What is the cost of an idle employee?

For companies with a large administrative structure, without proper equipment contingency guidelines, it is natural for a collaborator to be prevented or impaired from carrying out his activities due to the unavailability of their equipment.

The reasons for unavailability may be the most diverse, such as an old equipment damaged, even a virus or derivative making it partially or totally unfeasible to perform the job functions.

Knowing the average frequency that this occurs in a fraction of the time, and having an average value of employee time, it is possible to estimate how much it costs for the company a collaborator without performing its activities due to the breakage of an equipment.

Security projects, when well defined, should establish Internet and computer usage criteria that minimize their commitment to viruses and others, which may affect their operation.

What is the cost of internet unavailability?

With the convergence of several businesses to the electronic medium, the lack of the internet is extremely critical to many businesses.

The greater the company’s dependence on the Internet to carry out its activities, the greater the financial impact. Think about how long your company stays without internet in a given time period and multiply this by the average payroll hours.

Values, in many cases, can scare you. On the other hand, they can also raise awareness so that the company has alternative links, and that it is financially viable to pay for them, even though they do not have to stand still waiting for a contingency. The ideal is that a secondary or tertiary link is in production as well as the primary, serving certain services, and that all make contingency among themselves if necessary.

In businesses with high dependence on the internet, the maturity in this theme ends up being a bit higher, but there are many companies increasingly dependent on the internet that have not yet positioned to deal with this type of scenario.

What is the cost of information exhibition?

This is perhaps the most complicated point, not for businesses that have high levels of maturity and governance in information security, but for the vast majority of businesses, that do not even consider the possibility of undergoing such exposure.

When a security incident occurs in a company and generates exposure of customer or similar data, it is possible to estimate losses by calculating the drop of incoming revenues (compared to previous months), but especially the portfolios inevitably lost.

If this scenario has already occurred in your business, it will be quite simple to survey this information and work on it as a metric to assess the feasibility and time of return in an information security project.

Connecting the points and adding value

There are several other points to be considered; we seek to bring fundamental reflections more easily accessible to assist in the process of elaborating the time for return of investment. Feel free to increase it according to your need and the maturity of your business on security.

Have you found this subject interesting? Tell us what you think and share with your friends and colleagues.

This post is also available in: Português English Español