InFocus: Where to focus security expenditures

If information security is the first concern of IT executives, then where to focus security spending is a close second. What works for Company A, be it a combination of firewalls, intrusion detection systems or user authentication, may not necessarily protect Company B's network successfully. In fact, the only common IT thread among all companies is the need to plan and implement a comprehensive IT security program.

According to a recent IDC study, "Worldwide IT Security Software, Hardware, and Services 2005-2009 Forecast: The Big Picture," security spending continues to rise. IDC reports that, "The worldwide IT security market achieved a level of $27.4 billion in 2004, representing 20% growth over 2003”. And, IDC currently forecasts this market to reach $60.0 billion in 2009, representing a compound annual growth rate of 16.9% from 2004 to 2009.

But the overall question remains: Where should businesses focus their security spend? How can they get the most "security bang" for their buck? This is where a security Return on Investment (ROI) framework analysis becomes a necessity.

A security ROI framework analysis helps company managers and executives improve their overall security efforts more efficiently and cost-effectively. The analysis quantifies projected ROI for security investments by investigating the potential financial impact of security risks across the enterprise's business segments. The analysis achieves this by quantifying the potential impact of security risk exposure on cash flow.

The result is a framework that illustrates to enterprises the value of a high-level comparison of security programs versus other enterprise initiatives, while also providing insight into the projected final impact of a given program. It also focuses on the optimal areas for companies to allocate their security dollars -- based on cost, effectiveness and impact/potential impact on the business.

Creating a security ROI framework that provides an economical security solution requires a number of steps and assessments, all designed to help ensure accuracy and effectiveness. To ensure these assessments are objective, it is best to seek out a team of outside advisors such as security consultants. Lucent's Worldwide Services team is among the industry leaders in providing such a service.

Perhaps the best way to understand the ins and outs of a balanced security ROI framework analysis is to examine a case study – focusing on the elements and process of building the ROI framework, like the one displayed in Figure 1. For example, examine Company ABC, a hypothetical Telecom Service Provider in need of a new security plan, and let’s walk through the necessary steps for this organization to create a thorough security ROI framework.

Step 1: Assess the Situation

The first step is to examine Company ABC's current security model and expose the security gaps and vulnerabilities. An assessment of Company ABC's current security program would uncover a number of dangerous gaps:

• Antiquated Security Policies - ABC's security policies are outdated and not enforced.
• There is also no formal Awareness Training program for employees to inform them of Security Policies.
• Without an Intrusion Detection and Prevention System (IDPS), ABC cannot monitor or detect unauthorized devices like wireless access points, switches and routers that may have been added to the network. Malicious intruders could take advantage of this security shortcoming and gain uninhibited access to restricted company materials, or introduce a virus to ABC's systems.
• ABC's Business Continuity Management (BCM) program is outdated. Therefore, in the event of an emergency or disaster, ABC has no plan of action, which could result in company-wide chaos.
• Insufficient physical security measures leave ABC's employees and buildings open to a variety of attacks, such as infiltration or the theft of assets containing critical business information.
• ABC's data back-up and storage system is out of date, leaving the company's vital information vulnerable to theft, corruption or accidental deletion.

Step 2: Develop the Framework

To decide which of these gaps is the most threatening to ABC, assessors input each of the company's threats and exposed vulnerabilities into a security ROI framework model, which includes four steps.

First, all known security-related threats that can impede the ability of the corporation to operate and generate revenue must be identified. These include hackers attacking critical corporate databases, viruses, worms, and denial of services. Assessors use ABC's security records to note the historical frequency of such security threats.

Next, assessors interview ABC's security subject matter experts to ascertain how vulnerable ABC is to each of the identified security threats. These vulnerabilities are used as filters for measuring how dangerous a given security threat is to the organization. For example, if a proven mitigation remedy is already in place to counter a threat, like a virus, then the corporation is not vulnerable to this particular security threat. On the opposite extreme, an unknown worm that suddenly appears on the Internet for which there is no known remedy available creates a very high vulnerability state.

With this information, assessors can move to the third step, which is to calculate the potential impact of all of the captured security threats to the corporation’s infrastructure. The calculation of such impacts is a function of projected outage time and associated costs, which are generally modeled on industry-recognized data for a given vertical market segment.

Finally, the impact to the corporation’s infrastructure is translated into the impact on the corporation’s business. Essentially, this reputation of a corporation’s business is measured by assessing how much the organization’s operational cash flow could decline as a result of continuous exposure to the security-related threats identified in the first step above.

The business impact is a function of cost impact, which can result from increased costs associated with:

• Productivity loss as the corporation’s network and associated critical systems are degraded by the security incident,
• Responding to the security incident, and
• Recovering from such a security incident with a permanent mitigation remedy.

In the event of a security breech, ABC's revenue can also be impacted as a result of decreased revenues associated with:

• Service revenue loss, including payment of credits to end-customers as specific service level agreement metrics are violated,
• Customer churn as users flee to competitors who are viewed as offering services with higher security, and
• Loss of potential opportunities when users who were considering signing up with the corporation decide to use another competitor’s services instead.

Step 3: Fill in the Gaps

Now that Company ABC's security gaps are in the open and analyzed, assessors then decide how to best address these vulnerabilities, select security initiatives to combat weaknesses.

Assessors in this example have chosen the following solutions for each security vulnerability facing ABC:

• Update Security Policies;
• Develop of an Awareness Training Program;
• Introduce of an IDPS;
• Modernize of the BCM Program;
• Enhance physical security measures; and
  Improve the data-back-up and storage system.

Step 4: Recommendations

To find the right balance between over- and under-spending on security, assessors complete a cost/benefit analysis for each of the potential security solutions, thus determining where to efficiently spend budgeted dollars.

The most cost-effective and useful security solutions, including recommended investment levels and implementation plans, are then presented to company executives. For Company ABC, four of the six proposed security initiatives were recommended for implementation:

1. Introduce an IDPS, which will allow ABC to detect any network intruders or hackers and isolate them from sensitive network functions and company materials.
2. Revamp ABC's Security Policies because the current policies are outdated and are not enforced. The company must update security policies to align with industry best practices, like International Standards Organization ISO 17799, which documents a comprehensive set of controls comprising best practices in information security. Also useful is the International Telecommunication Union's (ITU) X.805, an internationally accepted security framework originally developed by Lucent’s Bell Labs. The Bell Labs Security Model has been accepted by the International Organization for Standardization (ISO) and the International Electrotechnical Committee (IEC) as the basis of their joint standard, ISO/IEC18028-2, Information technology – Security techniques – IT network security – Part 2: Network security architecture.
3. Once the policies are developed and agreed upon, ABC must organize an Awareness Training initiative to inform employees. To maximize effectiveness, this should include face-to-face training, online courses and weekly emails on security topics.
4. Physical Security will be increased at all of ABC's office locations, focusing on enhanced access security, with cameras and a badge scanning system at all entrances. For highly restricted areas, double entry doors should be employed to provide secure entry. Each door entry should have two-factor authentication that includes an electronic key card reader and disabled cipher lock. Lucent’s experience and industry best practices encourage the use of Closed Circuit TV (CCTV) or other video surveillance to detect and record access to restricted areas. Visitor access to ABC facilities should be authorized and logged in accordance with ABC company policy. Visitors in the restricted areas of ABC facilities must be escorted at all times.

Throughout this process, third party assessors and company executives have an ultimate goal in mind: managing risk. A successful security program is determined by managing the business and budget to accommodate an individual company's unique security risks. But perhaps the greatest risk a company can take is ignoring or undermining the importance of security.

As security threats grow exponentially, a security plan – tailored to an enterprise's unique situation - must evolve with the business to ensure a secure and successful future for the enterprise. Despite this, many enterprises choose not to do an ROI study because company management don’t endorse or request this information, or because many companies find it nearly impossible to quantify an investment such as security. Overlooking security studies can prove to be very costly and a brand-damaging mistake. A security breach can lead to network downtime, or worse, corruption or pilfering of confidential materials - such as sensitive company or customer information.

Not only can security issues cost an enterprise financially, but it can also lead to damaging lawsuits. In the long term, an enterprise's brand may be scarred – stunting future customer base growth or even the loss of current customers. Trust in the company's security would be compromised, and the enterprise's reputation may never recover. A well-calibrated security plan, developed with a security ROI framework, may have helped saved these companies.

As illustrated with the Company ABC case, using a security ROI framework analysis to build a well balanced, efficient and cost-effective security program is perhaps the best way for enterprise executives to protect their company's interests. The only question that remains is, can you afford not to?

Jay Berman is Principal Consultant, Professional Services Strategic Planning & Transformation Program, at Lucent Worldwide Services.

Visit Lucent Worldwide Services online.