Home » Security Leadership » Metrics/Budgets

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four: TCO, ROI, EVA and ALE.

June 23, 2008 — Financial metrics have bedeviled CSOs from the start. How do you justify spending on something that isn't designed to increase the bottom line? The fear factor exists, and yet explaining why bulletproof glass is worth more than Plexiglas still requires numbers. With a recession hovering over the United States like some black helicopter, there will be still more pressure to measure what security spending brings to a company. One big challenge is that the data rarely is simple to pull together. And even though there are now tools like Agiliance, which makes an ROI calculator for information security expenditures, the devil is still in the data.

Here are four well-known metrics and measurement components that, if used properly, can help put the impact of security spending in the financial perspective companies need.

ROI (Return on Investment)
It's a classic business expectation that if you invest money in something, you can measure the return on your investment by its impact on the bottom line. But understanding the value of security spending presents challenges, since the tension that exists in most branches of IT is that investment does not usually lead directly to profits.
For security spending, the problem is bigger: If investing in security works, nothing happens. But what if nothing would have happened anyway?

"[The trouble with] trying to calculate ROI on security tools is that they destroy the proof of their effectiveness simply by doing their job," says Ross Leo, CEO of Alliance Group Research, a security consultancy.

So ROI has become a somewhat loose measure of how long it will take to recoup the cost of investing in security. It is not a perfect measure, which may be why its usage appears to be dropping.

Some 42 percent of organizations polled in the 2007 Computer Security Institute Computer Crime and Security Survey said they used ROI to measure their information security investments. That was up from 39 percent the year before, but well below the 55 percent who reported using it in 2004. Other common measures: 21 percent of respondents said they used internal rate of return measures, and 19 percent used net present value.

ROI can be straightforward for some aspects of physical security. Craig Chambers, CEO of Cernium, which makes software that analyzes videotape, says at a minimum, his firm's tools mean companies can hire fewer security guards, creating obvious savings on salary and benefits.

But it's rarely so straightforward to calculate savings. Some of the problems with using ROI:
Strict adherence to ROI may cause companies to pick the wrong technology to save money. For instance, a firm might find that inexpensive surveillance cameras are not as effective as ones that include built-in analytical tools, but a strict focus on ROI will seem to show a better payback for an inferior product, says Steve Hunt, a security consultant in Evanston, Ill.