Corporate IT security staff continues to struggle with balancing security investments with business priorities.
Funds that are spent on security can't be measured as a return on investment because they may or may not prevent a disaster. In regulated businesses such as banking, insurance and medical, security is mandated by regulations, but this only slightly alleviates the problem.
"Companies who are further along in the security curve are coming to us and say: 'I spend lots of money on security. All I can tell my chief financial officer is that he can sleep well at night because I'm spending all this money,'" Arshad Matin, Symantec's vice president for compliance and risk management said at a company event during the RSA Conference in San Francisco.
"They are looking for ways to quantify the benefits in a way that business leaders understand."
Christopher Leach, chief risk officer with First Horizon Bank, recommends that companies treat security risks as a potential system outage to estimate the potential risk and justify investments.
"As soon as you put it back into business terms, [senior management] understands it and you're done," said Leach.
Return on investment is difficult to measure. If a security breach brings down a transactional system, the damage can be quantified fairly easily. But in the rare case that an incident becomes public, a firm's reputation and stock prices are also likely to suffer.
This requires however that enterprises shift their security policies from a reactive mode in which they respond to incidents, to a proactive mode in which they actively try to prevent incidents from occurring. This in turn changes the job of a firm's security staff from plugging holes to educating business lines about the costs in case of an incident and build a consensus about the best solution.
"The challenge to that approach is that you as the chief security officer are the one that is held accountable," cautioned Leach.
"You're the throat to choke. You're still the one that when the regulator comes in, they will kill you."
Security investments remain a tough sell
By Tom Sanders on Feb 8, 2007 10:48AM