Friday, July 16, 2010

The Security Return on Investment

If looked at solely from the perspective of immediate dollars-and-cents ROI, most security programs would be quickly eliminated, because they are almost always a “cost” center as opposed to a “profit” center – that is, they seldom generate enough revenue to at least pay for themselves. But this is a very narrow viewpoint that does not take into account the value of asset retention.

Since the primary foundation of a security program is to prevent or at least mitigate threats to assets, a successful program will be very difficult to “see.” It is hard to quantify that which does not occur. But the retention of assets (in other words, keeping the assets safely within the organization) is a concept that can be quantified and valued, at least in a general sense.

As a general rule, the failure to implement a sound security program until after a significant loss has occurred will be at least 3 times as expensive as implementing a security program from the outset: there will be the costs associated with the compromise/loss of the asset; there will the costs associated with the replacement of the asset that was lost; and there will be the costs associated with then implementing the protective measures that could have prevented the loss in the first place.

The investment in a sound security program can be likened to the investment in a good insurance policy: premiums continue to be paid for coverage that may never be needed; but coverage that is found to be truly indispensable and cost-effective when it is needed.