Is There a Business Case for IT Security?

I can remember a time, not too long ago, when I was working with the comptrollers at a major US corporation to work up a business case for a critical security investment. In this case, it was software to help manage security incidents and track vulnerabilities in a more aggressive manner. This new capability would ensure faster response to potentially damaging incidents, and keep management in the loop. We determined this need after analyzing 8 years of breach information where we found the speed from discovery to resolution of security incidents can be a big indicator of how expensive the incident will be.

I plowed through filling out the requisite finance forms, and can remember my frustration explaining how this investment might prevent costs of an incident from climbing out of control quickly. I even invited world renowned breach experts to support the FACT that breach costs could go higher than $200 a record if you are found negligent protecting PII data.

My finance friends just couldn’t get past the idea that security software simply does not generate revenue, therefore there is no return on investment. The ROI on the business case was negative as a result, and we had to rely on the fear factor to get the project funded.

Fear factor is getting old. The sky is falling is not a way to justify an important security investment and the technology is so crazy that it just isn’t obvious how investment can and will help. It leaves executives feeling burned when they pour money into security, and don’t really know how to measure its effect.

Perhaps one of the big reasons companies seem to pour money into security without clear understanding of benefit lies in the way that finance folks struggle to quantify any ROI for what I call ‘defensive investments’.

Project portfolios typically get funded based on how much money the company will make or save, not how much money a company will avoid paying in litigation, notification, and other costs related to losing data if and when that happens.

Finance leadership has no problem understanding ‘offensive investments’; like CRM software, or marketing improvements where you predict the impact to the top line or bottom line, and if you are within the company hurdle rate, you can proceed fully funded.

News flash: there is no ‘hurdle rate’ for a defensive investment! At least, none I have ever seen.

Because my defensive investment does not generate or save short-term revenue, there is little to no way to accurately describe how the company truly benefits from a security investment unless you have very good senior management that has been keeping up on this sort of thing.

I have some good news…recent events are starting to have a huge impact on executive thinking and we now have an opportunity to change this perception.

Think about Target, who now has to face the litigation of the banks and a host of other injured parties as a result of their recent breach. http://www.fierceitsecurity.com/story/judge-rules-banks-lawsuit-against-target-over-breach-can-proceed/2014-12-04. In addition to the costs they are already incurring for the loss of 40 million records. (Customer churn rate, cost of notification, cost of legal teams, costs of losing market confidence to name a few…)

So, to help my clients and partners succeed, I am proposing a new approach to funding security investments that might go a long way towards helping everyone understand how security impacts the bottom line:

How to Write a Business Case for Security Investments

Step 1: First, let’s start with getting some facts. Guessing does not suffice in finance discussions, and you need good data to make any kind of business case for security investments.

When I discuss the total potential impact of breach costs, I rely on the Ponemon Institute. (http://www.ponemon.org/) This group has collected years of breach data, working with the likes of the Secret Service, Verizon, IBM and many others to get to the bottom of how much a breach might cost.

So, using the facts they provide, I can tell you the average cost of a lost record is $201 from 2013 research. After having seen the data Ponemon provides in its various outlets, and having met the good Dr. Larry myself and having queried him often, have lost all of my skepticism for this number. I can only tell you check it out for yourself. It’s almost like reading prophecy in light of current events!

The second figure you will need is the likelihood you will be breached. This is a hard one. But again, the good folks at Ponemon Institute have nailed that too. In their research, they have found a way to quantify, based on your security posture, the likelihood and cost of what a breach might cost.

So, let’s say you have an average security posture. In this hypothetical, you find out that because you are in the Hospitality industry, the average daily likelihood you will get breached is 20%.

So, there is a 20% chance on any day you will wake up to find you have lost a minimum of 10,000 records assuming an average or less security posture.

10,000 records x $201 = $20,010,000 minimum loss

Yep, I said $20 MILLION.

Not FUD, fact.

The chance it will be 50,000 records? 6%

Now you know the odds. Now you have the raw material to show those odds to leadership.

Step 2: Figure out the potential impact of your security investment. The new terms we use to talk to our corporate brethren will be % reduction in risk, and % reduction in cost per record if we do see a breach.

If you focus on lowering cost per record loss, it has a retroactive impact on risk. Therefore I propose you always use lowering the number of the cost per record lost as your primary benchmark.

Now, it would take too much space here to walk you through how you are going to calculate your current aggregated risk base on posture, versus new aggregated risk base on your new posture with an investment. That takes elbow grease and a deep knowledge of what you have in place and most security professionals can get the raw data for you.

What I will tell you is that Ponemon Institute knows that if you have a strong security posture and a formal incident response plan that your cost per record could be as low as $21 and $17 per record respectively. (Down from that original $201 figure.)

Encryption dramatically lowers the number. Just consider one cost component of having unencrypted data: if your data is lost and encrypted in the great state of California, you are not required to notify in a breach. Just sending out the notification letters is going to run you $1 per letter! That is the tip of the iceberg.

If you can get to a point where you can quantify your impact on reducing the cost per record in the event of a breach, then the business case is likely to make a lot more sense to your executives, and you will also have the impact of focusing on the right security investments at the right time.

Step 3: Get funded, because everyone knows the score now…or if you don’t get funded, it’s recorded as to why, and who accepted the risk. Once you start to document decisions, people start to respond differently.

Let assume we are successful with our benchmark. Can you envision a day when everyone is focusing on the best ways to reduce the cost per record in breach events? It’s simply not practical anymore to talk about stopping breaches. 20% breach rates are horrendous, and the current reality. So, reducing the cost of impact is another way to get at the same thing…general security posture improvement.

It is possible to show aggregate impact on our risk profile every time we make investments. If we can align a ROI concept around this or something similar, then I think the ball gets moved forward in financing discussions.

I hopefully have given you something to think about, and I welcome your feedback negative or positive. (solson@appsecconsulting.com). www.appsecconsulting.com