Calculating RoI on Information Security Solutions

According to a recent survey done by PCQuest, Information Security technologies were high on the CIOs' shopping list this year. While this is good news, a key issue one keeps hearing about is how to calculate the RoI on information security solutions. Some CIOs even raised this concern in the survey.

Indeed, since security solutions are not meant to enhance revenue for an organization, justifying their need to the CFO can be quite challenging, especially when the IT budget is expected to be slashed or marginally increased.

The key thing to remember is that security solutions are meant to prevent loss to your organization-loss of data, time taken to resolve it, loss of employee productivity caused by downtime, and of course the intangibles like loss of reputation, credibility, brand image, etc. of the organization after a security incident occurs.

The first few losses can be calculated with a little bit of effort, but the intangibles are much more difficult to calculate. Besides calculating the loss, you also have to know the probability of occurrence of the security incident again. That requires experience and an understanding of the key security trends taking place and their impact on your organization.

Match the loss against the cost of the security solution that's supposed to prevent it from happening. If this cost, along with its implementation, training cost, etc. is lower, then you're on the right track. If not, look for alternate security solutions.

Security solutions and their RoI also vary for different organizations, so there's no single formula to evaluate it, which makes the task even more difficult.

For a software solutions company, their source code is their biggest asset and therefore they have to spend a lot of effort and money in the right security solutions to protect it. For an online e-commerce company, slow site response due to a DDos attack can lead to lost customers, so security solutions that provide DDoS protection are important. For a bank, security solutions that protect their customer's data against mis-use, and solutions that prevent careless funds transfers by the bank employees are extremely important.

Let's look at the bank's example, because we've covered three live incidents of online banking fraud in this issue. In one instance, the fraudster changed the mobile number in the KYC document of the bank's customer, so that the victim wouldn't get SMS alerts when the funds were transferred fraudulently. In another case, the bank's employee simply transferred funds based on an email request from the customer, without verifying whether it's the customer who actually sent the email or an imposter.

In both cases, the bank probably had several security solutions in place for safe online funds transfers, but what they were probably missing were solutions for better document protection and a business process automation solution that would prevent employees from allowing funds transfer without following a pre-defined procedure.

In both cases, the banks lost reputation and had to fight a lawsuit. In order to justify the cost of a security solution that prevents these two things, the bank would have to find out the loss due to such incidents, multiply it with the probability of their recurrence and then see which security solution is the most cost effective.