Return on investment is simply showing management, in terms they understand, what the results of their security investments will be. This doesn t necessarily have to be profits from the investment; it can be the culmination of savings and risk aversion from the investment. You will need to conduct a risk assessment to realize the full value of your security efforts, as they show the threats and countermeasure in a formalized , rated way. Part of the risk assessment should include costs for each type of incident. The previous one-page risk assessment showed in precise terms that the cost of mitigating the risk was far less than the impact of doing nothing. Sometimes showing the return on investment is not quite so straightforward. In those instances where you can t determine the costs of an issue and the return on investment, use the best figures you can gather (realistic and within reason). You can use the estimated costs of a previous incident that was similar in scope and convert the numbers to cover the issue you are working on. You must also keep in mind any regulatory considerations as well as insurance adjustments related to your security program.
To effectively convey the importance of the security program, you will need to do some fact finding and coordinate with other groups. This step can be time intensive , but the results of your effort can be tremendous. A methodical fact-finding effort will allow you to present management with factual evidence for the need for a good security program, without opinions based on preconceived notions or guesses that can degrade your overall security message.
Determining what information you need is often the most difficult aspect of the information gathering phase. Some sample facts to gather are
What is the average income per day of your business unit?
What is the cost of hardware in your business unit?
What is the average salary of the staff?
What laws or regulations apply to your business unit?
What penalties are associated with process failure of your business unit?
There are other facts to gather, but these are largely determined by what problem you are addressing. It is good to take some time to figure out what you are trying to accomplish and how you are going to go about meeting that goal.
After determining the facts you need to gather, you then need to get the information from those who can provide the best answers. This may include financial, legal, and human resource staff, as well as subject matter experts. Your management should have an understanding of the business relationships and who would be the most helpful in your fact-finding phase. Another good resource to consider is the office manager, who usually knows the major players in the organization and can help lead you in the right direction for information.
The first step is to determine the typical revenue produced in one normal business day. This allows you to show what a worst case scenario of complete loss of business functions would be, upon which you can begin determining more long- term effects of business failure. Another important area to consider is if there are fines associated with failure of business activities. If your company has a contract to provide services to another company or individual, do you have an associated fine or deduction when your service doesn t meet predetermined metrics? Are there governmental fines associated with failure to deliver goods or services that could be levied for failure of business delivery? Has a similar company in your industry faced an information security incident? If so, what were the costs of the incident? The costs associated with business interruption or failure could be of tremendous impact, even causing severe degradation of business revenue. If you are a business in the government sector, you must consider the ramifications of potential fines or investigations by government oversight committees and the costs associated with those activities. Government and business entities must consider the impact of incidents on operating budgets and future budgets / revenues .
A good way to determine return on investment (or return on security investment) is to use some previous examples of security issues that caused downtime or business disruption and compare the cost of the downtime to that of the mitigation solution. For example, the fictional company ACME Sprockets has an application called Sprocket Tracker. If the Sprocket Tracker application went offline for 30 minutes, it could directly cost the company $10,000. Using that figure, you can reasonably estimate that in an average business day, you could lose $160,000. This was determined by figuring out the average work hours in a business day, dividing by 2 and then multiplying by $10,000 (average loss per 30 minutes). These are the types of calculations you will need so that you can provide management with reasonable information on potential losses associated with a security event. Figure 15-3 shows an example of determining an incident s cost for a very small company suffering a minor virus outbreak.
Using the report shown in Figure 15-2, you can propose a possible resolution or ways to mitigate the risk and directly compare the two to show the business case for the resolution. For instance, in this case, you show how a patch management system for your Windows machines, which might cost $1,000, could reduce the damage, potentially saving the organization $5,600 per incident.
Other areas that can assist in the determination of return on investment and can greatly impact budget resources are governmental and industry requirements. There are many different legal requirements for security practices throughout the world, which if not properly followed can result in severe monetary penalties, censure, or even criminal penalties. Most security legislation is still in its beginning stages and many businesses have not seen penalties yet, but the provisions are available for regulatory or investigative agencies. Examples of current legislation (pending and enacted) include
The Health Insurance Portability and Accountability Act (HIPAA), which sets provisions for how personal health information is handled, disclosed, and used. This is applicable in the United States. More information is available at http://www.hhs.gov/ocr/hipaa/.
California SB 1386, relating to reporting of security incidents to California residents and applicable to all businesses that hold personal information on California residents. This particular legislation is seen as far reaching due to the global nature of business, and the fact that a lot of private businesses will hold information on a California citizen due to the nature of interstate and global commerce. More information is available at the California State Senate home page: http:// info .sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.
The Gramm-Leach-Bliley Act (GLBA) or the Financial Services Modernization Act defines some guidance on information security obligations for companies in the United States and sets out requirements for the protection of consumers personal financial information. More information can be found at http://www.ftc.gov/privacy/glbact/.
The Sarbanes-Oxley (SOX) Act of 2002 deals with accountability for public companies. Of special interest to information security professionals is section 404. Violation of the requirements set forth in this act can lead to civil and criminal penalties for executives and directly impact a security program. The basics of this legislation are that it requires certification of a company s internal controls on a yearly basis, requiring a need for the protection of your company s data. Go to http://www.sec.gov/spotlight/sarbanes-oxley.htm.
European Union Directive 95/46 EC on the Protection of Individuals with Regards to the Processing of Personal Data, and on the free movement of such data within the European Union. This legislation concerns the protection of personal information and how that information is stored, used, and processed . Go to http://europa.eu.int/comm/internal_market/privacy/law_en.htm.
The Personal Information Protection and Electronic Documents Act (PIPEDA) covers the collection, use, and disclosure of personal information on Canadian citizens .
Further details on this legislation are available at http://www.privcom.gc.ca/.
Information security has become a major concern of governments and citizens, and legislation is being enacted throughout the world. The six pieces of legislation listed previously only cover a small portion of the wide- ranging information security laws and regulations that apply to business today. Contact your legal department for further clarification on what legislation applies to your company and industry based on your operating regions , what type of information and services you provide, and other factors. The legal department should also be able to define the potential penalties accrued when a company is not in compliance with these regulations. The security controls required by governmental and industrial regulations should be brought to management s attention immediately and enacted as soon as possible as these represent the most immediate security fulfillment requirements.
Another area to consider when determining the return on security investment is the estimated losses from prestige or trust in the industry. If your company is a high profile or especially sensitive industry (financial, utility, and so on), the losses incurred by a publicized security incident could be far greater than the more obvious short-term losses on operations, recovery, and maintenance. You must also consider how it would affect future customers. This is particularly hard to determine because there are usually no definite future sales or revenue figures, so you must take average sales and consider what could potentially be lost due to lack of confidence in security. For instance, imagine if your company provides information systems services to a credit card processing facility and the company suffered a malicious event. How would future customers view your service offering and how much more difficult would it be for sales staff to close future deals? This is the most obscure portion to determine, but your best guess based on previous sales will have to suffice to give management a realistic expectation of the cost of loss of prestige and trust.
Now that you have gathered the appropriate information as outlined in the preceding sections, you need to show the return on investment. Most security practitioners consider information security in terms relative to insurance. Having a vigorous information security program affords an organization insurance against the outcome of poor security. Using all the information gathered, you can now determine the costs of an incident or potential incident and weigh that against the outcome of the possible scenarios.
One suggestion is to write a paper correlating all the information you gathered in conjunction with the risk assessment and provide management with an overview of the benefits of the security program. This should include the worst case scenarios along with the costs of those scenarios. Then provide a direct link to the planned and implemented security mechanisms and procedures to show how these things mitigate, reduce the likelihood , or reduce the impact of that threat. Note that the cost of the countermeasures should not exceed your costs of the risk, as this is not in the best interests of the company. For instance, the countermeasure for an intruder coming on the premises might be to hire roving security guards and erect a fence around the premises. This might be reasonable in some situations, but if the cost of the assets and information protected do not warrant this level of protection, the business requirements for this solution are diminished. Gather your information and show how the costs of implementing countermeasures will provide real benefit to the company. This will show management how important security is to the overall business objectives.
In some instances, management may want the input or guidance of an outside, independent source to provide validation for your recommendations. This is a prudent step and having the information available to management allows them to make a more informed choice and provides legitimacy to your recommendations.
Statistics are a great way to enhance your security expenditure and policy requests . There are many security statistics available online, as well as sites that provide industry research at a reasonable cost. Providing a hard- hitting statistic that shows management what others in the industry are saying or experiencing can sometimes be the determining factor between project approval and rejection . Use the experiences of others and the statistics they provide as an attention grabbing point in your research to prevent your company from becoming one of those statistics.
Statistics on security that will assist you in your security goals can be found in several places. You can also use statistics based on your own experiences, such as firewall logs, security incidents per quarter, or other pertinent facts as these statistics can have more impact than general reference ones. A few of the more popular sites for security statistics are
CSO Magazine (http://www.csoonline.com/)
ISSA Journal (http://www.issa.org/)
Linux Weekly News (http://lwn.net/security)
Linux Today (http://linuxtoday.com/security/)
Vendor web sites
General use search engines such as http://www.google.com/ can provide the most up-to-date or relevant statistics.
An uninvolved third party can provide insight from a viewpoint that you may not have previously had. They can also back up your recommendations if they are based on sound research and foresight. If you are not a security professional or if you don t have a security background, this is the favored course of action. A consultant is usually versed in management and business practices, and can articulate your recommendations in a way that conveys the urgency and need for a vigorous security program. This is not to say that a consultant is going to come to your business and rubber-stamp your proposal without providing feedback or new recommendations if yours need enhancing. A good consultant will take your research and recommendations and weigh them against industry best practices or prevalent levels of security. Most consultants will also conduct some form of audit to determine the current security posture and what level of security management desires. Having the research discussed earlier in this chapter available to the consultant will allow them to create recommendations in a timely manner, with the least disruption to staff.
Locating a good consultant can be difficult. A good place to start is by contacting your local Information Systems Security Association (http://www.issa.org/) or Information Systems Audit and Control Association (http://www.isaca.org/) and talking to chapter representatives. They will usually be able to provide some references and contact information for local security consultants. When interviewing security consultants, ask what types of certifications they hold, level of education, how long they have been doing security consulting, references from the last few customers they had, as well as if they have experience in your organization s field of business. A good consultant will be happy to provide this information, and by doing your homework on your prospective consultant, you will ensure that your company gets sound, unbiased advice.
After contracting a consultant, you should start by telling them what your objectives are and provide them with access to the information required to effectively do their job. A consultant who doesn t have enough access to resources and information will prove to be useless to your company and can actually lead to results that are detrimental. Consultants are sometimes seen as the untrustworthy outsider or competitor to many in the information technology field, so you may need to assist the consultant in their fact-finding duties .
A consultant who understands your business and needs can prove invaluable to your company s security goals and often provides the final catalyst needed to implement security mechanisms and policies.
A great place to reference your current security posture against a worldwide reference is ISO 17799 (BS 7799-2), Code of Practice for Information Security Management. This standard provides a framework that is beginning to be accepted worldwide as an information security standard. There are other industry standards available online, but ISO 17799 is rapidly becoming the de facto guideline for creating a security program that will meet the needs of most organizations. Referencing the ISO standard and using it as a guideline for your program will show management that you are utilizing tools that are in use worldwide and widely accepted as best practice in the information security industry. The ISO standards do cost money to obtain (around $250) and can be ordered at BSI Americas (http://www.bsiamericas.com/InformationSecurity/). There are other guidelines in use worldwide, even industry-specific guidelines, so you must do your research to determine what the best documentation for you will be. Some of the other guidelines for a security program or audit of a security program are
Generally Accepted System Security Principles (GASSP), available at (http://web.mit.edu/security/www/gassp1.html).
Generally Accepted Information Security Principles (GAISP). This is a project to rework the GASSP and move it forward. It is still a work in progress, but information about it can be found at http://www.issa.org/gaisp/.
Commonly Accepted Security Practices and Recommendations (CASPR), available at http://www.caspr.org/ (currently inactive).
Control Objectives for Information and Technology (COBIT), available at http://www.caspr.org/www.isaca.org/cobit.htm.
Common Criteria, available at http://csrc.nist.gov/cc/.
This is possibly the most crucial step to gaining management support for your security program. Management must perceive some ownership in the overall security plan. This sense of ownership will ensure that they fully support your process and influence their management and staff to support your security initiatives. The first step was to show the need for the security program through the use of costs versus return on investment. The next step is to involve management in the creation and formulation of the security plan through education. The more informed your management is, the better equipped they are to support your programs to their management. Provide timely, management audience targeted newsletters and news segments to management to show how important security is to the overall security architecture. There are many magazines (online and hard copy) and newsletters in print today, targeted at the management audience. Some of these magazines are
Corporate Security (http://www.straffordpub.com/products/csn/)
CSO Magazine (http://www.csoonline.com/)
ISSA Journal (http://www.issa.org/)
Network World Fusion (http://www.nwfusion.com/)
SC Magazine (http://www.scmagazine.com/)
When determining what your security program should entail, seek management s guidance on what solutions will be the least disruptive to the organization as a whole. Management can provide invaluable insight on the interdependencies and social relationships between business segments that you may not have been aware of. These relationships can prove beneficial when seeking to influence change across business units.
With the introduction of information security legislation on the rise worldwide, management in most companies is beginning to understand that security is not just a cost of doing business, but a requirement of doing business. Your job is to show that your security solutions can provide maximum benefit at a reasonable cost. By involving management in all aspects of your security program and showing why security is crucial to business operations, you will obtain the budget resources and management support you need to be successful.