Is Investment in IT Security Tangible ROI or merely an insurance policy?

Posted by Richard Hunt on 5 July 2016
Richard Hunt

It is difficult to articulate ROI on IT security. It is a bit like wearing a protective equipment when motorcycle racing: there are regulatory reasons why you need to do it, along with personal safety and security issues. But does it actually deliver any tangible improvement in performance? Or does it reduce the cost of operating? Here we will explain why investment in IT security will deliver long-term ROI for your business.Is_Investment_in_IT_Security.jpg

Increased revenue and productivity?

Protecting key assets may secure an organisation’s revenue stream, just like winning races secures prize money and sponsorship. It is possible to argue that security investment generates increased productivity, but quantifying this will vary from one firm to another. Having the right security tools in place may allow the enterprise to “go faster” but does not entirely remove the risk of error. Automated monitoring and alerts, workflows to ensure the right business approvals are in place to authorise key transactions, automating user provisioning may all increase efficiency, reduce the risk of unauthorised access or error and enable the redeployment of resources towards more value-adding activities.

Focus on cost savings

Penalties and fines may be imposed for failure to comply with safety, security and compliance standards. Whilst costs may be immaterial in financial terms, the associated reputational risk may be compelling enough to justify security investment. The organisational upheaval caused by refocusing the resources required to address compliance deficiencies should also not be underestimated. 

Other savings come from cost avoidance. The organisation may be able to calculate the likelihood of loss of assets and the value of that loss to determine how much should be spent on preventative measures. Expenditure must be commensurate with the associated risk; otherwise this remains a cost and adds no value to the bottom line.

The Annualised Loss Expectancy (ALE) equation: A way to justify how much should be spent on IT security.

ASSET VALUE X RISK OF LOSS X NUMBER OF TIMES LOSS OCCURS PER YEAR =

ANNUALISED LOSS EXPECTANCY

So if an asset is valued at £100,000 and the risk of loss is 25% then the SLE is £25,000. Assuming the risk of the loss occurring is twice in one year, the ALE is £50,000. If this is the case, then there is no financial imperative for spending £75,000 on securing that asset for the year.

Of course there are challenges with this equation:

  • Accurately valuing the asset, including intangibles such as reputation
  • Accurately predicting the risk of loss
  • Evaluating the costs and benefits of implementing security programmes on an annualised basis, and understanding what happens when this is applied across multiple assets

It’s not all about the financials

Enterprises that suspect they have a problem with fraud often do not have the tools in place to trace suspicious activity. And with the ever-increasing external threats, financial risk is not the only problem. Disruption-to-service or denial-of-service attacks do not necessarily have immediate financial impacts but do ultimately affect perception of business viability.

In a perfect world, no organisation would invest unless it could demonstrate a strong case for ROI. In truth, it is difficult to prove that any of these outputs are exclusively due to IT security investment. Loss of a key asset, may not put a company out of business forever but could be enough to precipitate the loss of competitive advantage and revenue stream for some time to come.  Is it really worth the risk?

 

Insert image

Topics: SAP Security Cyber Security SAP Access Controls SAP GRC Risk Management

We would love to hear your thoughts. Please leave a comment.