Business Matters: Climbing Toward Security Enlightenment

May 6, 2006

Steve Hunt

Anybody who has ever attempted to calculate a return on investment (ROI) for a security project has faced the bitter truth – everyone outside the security industry thinks what you do is an annoying layer of cost and inconvenience. You say you are the director of security, and they hear that you are the director of annoying layers of cost and inconvenience.

That’s when you reach in your toolbox and pull out the ol’ ROI calculator. Surely, you think to yourself, if I can show that the company is better off with this new IP video initiative, then the executives will enthusiastically support it.

The trouble with ROI, of course, is that it only measures some of the benefits for the money you are spending. It does not prove that the money was spent wisely in the first place.

Actually, an ROI is a measure of the difference between the cost and the benefit. If I’m spending $2000 a month on alarm monitoring, and replace it with a service that costs $1500 per month, I’ll achieve a $500 return on investment. Sounds straightforward, right? It’s also misleading and probably completely inaccurate.

From the point of view of the business executives, alarm monitoring is supposed to quickly alert key individuals of important threats. The cheaper service may have a lower response time, or some other service deficiency. So the factor your earlier ROI left out was how close you’d get to achieving the goals of the business by making the investment. After all, the point of any security initiative is to achieve some valuable goal, not merely to save money.

Three paths to Nirvana

I like to think there are three levels or “flavors” of ROI. The lowest type is “necessary evil,” the calculation that something you simply can’t live without is cheaper than an alternative.

For example, let’s say you can show that over two years, the IP cameras will cost less to install and maintain than you are spending on the existing system. You’ve just shown that one necessary evil is cheaper than another. This simplistic formula is often referred to as total cost of ownership, or TCO.

Sojourning further up the road on the mountain of security enlightenment will lead you to the “insurance policy” ROI. It proves that spending a little money now may help you avoid spending a lot more money at some unknown future date. For example, you argue that the distributed IP cameras will help avoid a lawsuit when someone falsely claims a workplace injury.

But the wise security director will calculate the “business enabler” ROI. Instead of merely measuring costs incurred or avoided, try to figure what the company is able to do after deploying the project that it could not attain previously.

The methodology I prefer is Forrester Research’s Total Economic Impact™. It factors four components to evaluate value: benefits, costs, risks, and flexibility.

Think in terms of asset protection. The measures you are putting in place will avoid loss, misuse or degradation of assets like public safety or a facility, or in the case of information technology, data, network integrity, or customer goodwill. First estimate the cost of replacing or repairing the asset (potential loss) by the probability of the event occurring (exposure). Then, assess the immediate and near-term benefits of reducing the potential exposure while at the same time increasing functionality, capabilities and scalability to adapt to changing business needs.

For example, even though the IP cameras are deployed primarily for security, safety and loss prevention, certain images can be forwarded to the marketing department, or the dean of students, or the sales team. Remember that other groups in your organization can enjoy “flexibility” of recording consumer activity in the aisles, or student attendance in the lecture hall, or virtual tours of that property you are trying to lease in Topeka.

I suppose the best ROI presentation is one that shows benefits at all of these levels, each one building on and adding value to the previous. In the end, you’ll walk out of the meeting not only justifying the project, but feeling the peace and satisfaction of justifying your role in the company as business value “guru.”

Steve Hunt is CEO of Hunt Business Intelligence, an industry analysis and advisory firm. He also authors the popular Blog securitydreamer.com.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.