To accept anything I’m going to say in this post, we need to agree on the definition of ‘investment’. The OED has 3 definitions;
- The action or process of investing money for profit;
- A thing that is worth buying because it may be profitable or useful in the future; and
- An act of devoting time, effort, or energy to a particular undertaking with the expectation of a worthwhile result.
For the purposes of this blog, I’m taking the word ‘useful’ in definition 2. and the entirety of definition 3. I’m not that biased toward my chosen profession that I believe spending money on security will actually make you money, but I do believe that any effort to stay competitive in this day and age requires the current perception of security to be completely overhauled.
In my career I have compared security to insurance, the law, and to chewing tinfoil; you only do it because you have to, it’s too complicated, and it’s very irritating, respectively. It’s no wonder that it gets the short-shrift that it does, especially when one or all of these comparisons come from the CEO him/herself.
If you can also accept that not LOSING money is also a ROI, then we can begin.
I was recently told that unless we security experts can put security into terms the business side of an organisation can understand, we’re wasting our time. I’ve done that my whole career I thought, but I missed the trick of putting security into a financial CONTROL perspective, mostly because finance is not my background. So thank you Jeff Hall for that.
These are my Top 5 reasons that security provides an ROI well above that of almost all other individual departments, including sales:
- Competitive Advantage
I have touched upon this in several blogs, but the basic premise is that in the information age, the majority of businesses are almost entirely based on the manipulation of some form of data. Data in context is information, information in context is knowledge, and knowledge applied correctly is wisdom, and so on. It follows therefore that the ages old concept of Confidentiality, Integrity, and Availability (C.I.A.) very much applies. So if your data is the foundation of all of your businesses services, why is it not treated accordingly?
- Business Transformation
Similar, but different enough from Competitive Advantage to warrant its own section. Again, seeing as data is central to all things, the ability of an organisation to order, compile and retrieve their accurate data faster gives them the ability to adjust their processes in the face of customer needs, or competitive threat. If you don’t know what you have, or in detail how you do what you do WITH what you have, you cannot make change fast enough. Competitive advantages in the Information Age last weeks / months, you simply don’t have years to catch up.
- Financial Control
All finance these days is just data in context, and while security will never be able to provide that context, access TO, and the integrity OF the data can provide a much welcome check and balance for the control of an organisation’s financial data assets. Regulations like SoX have security as part of their requirements, but it goes no-where near far enough to provide much benefit. A security program done well would cover this and a whole lot more.
- Avoidance of Fines / Loss of Reputation
Globally, more and more regulations are in the works that can have significant negative monetary implications. PCI is probably the best known, but the Information Commissioners Office (ICO) here in the UK can fine up to £500K per event for the loss of personal data. The EU General Data Protection Regulation (GDPR) can impose fine of up to 2% of GLOBAL revenue for a similar loss. These fines are monetary, but the loss of reputation can potentially be far worse.
- Cheaper IT Infrastructure and Maintenance
This may seem strange, even counterintuitive, but you only get real security when all the processes are simple, and you can only achieve simple if everything you have is a known-good, or baseline. These baselines are hard to achieve, and can be expensive in the short-term, but the long term costs are significantly lower than trying to either constantly work with too much (technology, data, people etc.), or fix what’s broken because you couldn’t detect a problem in time to prevent it from becoming a disaster.
Security is simple, and done well provides benefits way beyond what most business people can possibly envision, but ignorance of this has always been, and will always be, the CEO’s fault;
“Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter goal here], it’s the CEOs fault, and no-one else’s.”
Just ask Target’s or Equifax’s outgoing CEOs if they wished they had paid more attention to security.
[If you liked this article, please share! Want more like it, subscribe!]