Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

How do you Justify IT Security Expenditure

BeCrypt : 25 February, 2010  (Special Report)
Providing justification for purchasing IT security solutions is a challenge which Ben Ross of Becrypt resolves with Key Performance Indicators and Productivity Gains
Quantifying any kind of ROI from a security solution is not as straightforward as it should be, especially when some organisations still see it as just an insurance policy for that 'what if' scenario - a fairly old fashioned outlook. And it is still something that the security industry struggles to provide a coherent answer for.

In this article, Becrypt VP of Marketing, Ben Ross, explores what organisations can do to justify spend on IT security, and also demonstrate value and ROI.

In the current economic climate, most organisations are having to justify each additional request for IT expenditure they make. Corporate IT managers are under significant pressure - either from their boards or other senior management, including investor sources - to justify their current security expenditures in the face of continuing shareholder scrutiny on all expenses.

Whilst historical evidence suggests that IT security has been an essential part of the necessary investment aspect of business for a number of years, IT budgets generally are being cut in the face of the current downturn. Now, more than ever, is the need to measure the effectiveness of IT security solutions, understand the productivity and value gained, the reduction of risk and therefore justify the spend.

The role of KPIs in measuring security effectiveness

Key Performance Indicators (KPI) are now a primary means of calculating the effectiveness of almost any IT and business solution.

Therefore, align the security technology KPIs with your organisation's overall data protection strategy, and link performance and operational KPIs to your security strategy to allow your organisation to more effectively measure its performance.

This will ultimately enable you to make more informed business decisions.
Commonly used KPIs that can be used in your security strategy plan should include:

* The number of security incidents
* The percentage of network coverage
* The percentage of application coverage.

To make this process as seamless as possible, you should seek to concentrate on analysis and reporting activities that are directly aligned with the KPIs or security strategy.

Measuring productivity gains from IT security

Measuring gains in productivity from improved levels of IT security is all about measuring the increase in the effectiveness of the resource in question.

To better execute the measurement process, it is necessary to assign roles and responsibilities in your organisation.

A detailed Responsible, Accountable, Consulted, Informed (RACI) matrix and staffing model will help you determine how the various functional areas within your organisation factor into the planning, design, implementation, and operation of the overall security solution.

In addition, a well-researched and effective RACI clearly defines each stakeholder's role and helps facilitate stakeholder buy-in.

You should immediately identify the data owners, as they understand the importance of their data in the context of the business; establish relationships with them; and engage them in effective, ongoing, two-way communications with those owners.

Analysing the existing technology and process controls will help you identify control gaps. You should base your security assessment on an established Risk Management framework and detailed classification scheme.

Finally, ensure that you cover all areas of the organisation, catalogue the location of sensitive data, estimate the amount of exposure the organisation faces, and measure the potential magnitude of any potential loss.

Quantifying ROI from your IT security

Measuring Return on Investment (ROI) from your security solution is perhaps not that different from measuring the ROI from your entire IT system. There is however one main difference, IT security is often about protecting an asset, your data, your network, etc, against a threat. If you have successfully protected the asset from the threat and nothing 'bad' has happened, how do you demonstrate the return?

One way is to estimate the value of the asset, your customer data for instance, and then put a business value on that data being lost or falling into the wrong hands. What are the costs and impacts to the business? A comparison can then be made against the cost of protection through IT security, and the potential costs and impact if the asset were lost, compromised or damaged.

You should also consider obtaining stakeholder buy-in to the security solution from across the entire organisation and communicate the value of IT security to the business in measurable terms they can understand and buy into.

While deploying your security solution, be sure to involve the stakeholders from the beginning, therefore ensuring that the parties fully understand the business requirements and the impact they may have on operations, employee behaviour, and corporate culture generally.

Stakeholders will generally include representatives from the following groups: privacy, IT, security, investigations, human resources, legal, compliance, audit, and the direct lines of business.

To help you measure the ROI from your security investment, you should ideally use a modular approach to the deployment of your technology solutions. Measuring the return of individual components of the overall solution is often the most pragmatic way of establishing ROI.

This will also enable your organisation to seamlessly implement more robust data protection solutions down the line, as technologies mature and your business needs dictate.


For many senior Executives, IT security is just a cost of doing business. In an ideal world that cost would not be needed and could easily be invested in another part of the business or not spent at all.

However in the real world organisation need to protect themselves from a variety of threats and risks. To really establish a return from your IT security investment, you should determine what, exactly, is meant by 'return'.

The return from IT security is often based around eliminating the need to spend more money by preventing bad things from happening. IT security leaders need to quantify the potential business impacts of these bad things, and perhaps more importantly, they need to articulate the cost of prevention versus the impact in a measurable and quantifiable way to the rest of the business.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo