The New Return on Integrity (ROI) Calculation for Desktop and Network Applications Security
by Richard April
Technology professionals are comfortable in a neat, logical binary world. A career in which everything in its simplest form can be defined by either a one or a zero has naturally fostered a black and white way of looking at all things technological: circuits are on or off, networks are up or down, applications benefits are quantifiable or of little use. On the whole, we're good at making sure we examine the return on investment associated with solutions that let us do new things. Of late, however, it is becoming more and more apparent some of us at least are very uncomfortable calculating the benefits of solutions that don't let things happen. How do we put a number on that?
In fairness, further discomfort stems from a bifurcated set of management objectives for technological investment. Senior business managers favor solutions that advance the company's strategic position and market advantage. IT professionals favor productivity enhancements; things like scalability, reliability, reach and speed, which, come to think of it, are things we can measure. But when it comes to investments in computing security infrastructure, these two camps each ask a set of specific, familiar -- but different -- questions: "Will this advance my company's position in the marketplace?" asks the senior executive. "Will this deliver improved productivity?" asks the IT executive. The simple answers are "Probably not," and "No." Not on a routine, predictable, measurable way at least.
Obviously, IT specialists have a better intuitive and real sense of the value that computing security delivers. Many have had real-life experiences dealing with a variety of threats that have crippled desktops, compromised networks, and generated a 100% decline in all employee productivity for hours, sometimes days. Some have even endured the even greater nightmare of having their systems breached and files of sensitive, private or proprietary information removed wholesale. Yet with narrowing IT budgets, mounting competitive pressures, productivity demands for ever-more economies of scale, and a set of new mainstream technology solutions of unquestionable value, are security solutions being delayed, deferred, discounted, or derailed because they don't fit neatly into an ROI formula? Absolutely. At what cost? That's the question.
In a late spring interview this year from Orlando granted by Intel CIO John Johnston to Computerworld, when asked about the common emphasis on return on investment (ROI), he said, "Leadership matters. If you approach this technology purely from an ROI perspective, you'll be late." To be clear, he was referencing various attempts to value Intel's $25 million initiative to increase the mobility of information professionals. But his words have a measure of value when applied to the even murkier formulations facing IT executives attempting to perform the expected ROI calculations for security investments.
Asked if sometimes his decisions had to rely on an intuitive instinct versus a mathematical formula, Johnson said, "It's not always easy to predict how you would even do an ROI analysis. You could spend a year figuring out ROI, and then you might have wasted a year. You do need to figure out what the business value proposition is."
The Value Proposition?
The use of the term value proposition by an industry leading CIO is a very important event that should not be overlooked. That's because it's a phrase that mediates the uncommon objectives within a single company with its dual but competing expectations for technological investment. It perhaps creates a third category in which the separate objectives of management and IT can meet in the middle. Here, via a new math that might include the value proposition, the separate objectives find an overlap or a new alignment. When it comes to investments that can't be weighed, measured, and otherwise mathematically manipulated to meet the traditional ROI evaluation through which all standard solutions of known value must pass, the value proposition may lead the way.
What exactly is a value proposition? Wikipedia explains that a value proposition should answer the questions, "Why should I buy this product or service?" as well as "Why should I do anything at all." It is a clear and specific statement about the tangible benefits of an offering. But a subsequent, somewhat embellished explanation seems even more appropriate to this discussion: At the end of the day, the real foundation of developing a unique value proposition rests on identifying and understanding what an individual or group values, which can be both stated or implied. For example, business executives can talk about integrity, honesty, and corporate governance all they want, but if their actions conflict with their rhetoric, we should look to what they actually do as a true representation of their values.
The New ROI: The Return on Integrity Formula
The value proposition approach to justifying the expense of network and desktop security measures is of great appeal and utility because non-IT senior executives must make decisions on this basis routinely. They make this decision when they decide to keep their buildings clean; when they elect to add after hours physical security for their employees returning to parked cars. In fact, they perform this calculation for just about every expense item, from the level of their professional accounting standards and services to the exacting use of their corporate logo and colors. The basic question: Is it worth it; does it matter; do these actions reflect our corporate values and demonstrate our integrity in the marketplace?
In many cases, ordinary, recurring operating expense decisions involve gut decisions made intuitively. It's that way when it comes to data security in some organizations, too. But not all. As you know only to well, the average senior executive doesn't accept "Trust me. This is the right thing to do," as the chief reason for championing yet another IT expense item. That will never work. But what will work, I submit here, is a hybrid formulation called Return on Integrity that mixes a blend of real numbers with potential numbers (should disaster strike) and a serving of sensible analysis of the company's own character. After all, integrity is not only about a person or corporation's character, but also about the reliability and safety of any structure or process. Therefore, whether or not an organization has sensible computing security solutions in place or not speaks directly to both the company's integrity as well as the integrity of its computing platforms. They are intertwined, in fact, as you will see in a moment. But for now, in short, the argument here proposes a way to talk about security using traditional mathematical analysis tools as well as intuitive calculations that in the aggregate make more sense than either approach alone.
Therefore, part one of the new math is easy. Management simply needs to decide that a data/network breach would be a bad thing. If your management thinks anything from a little to a lot of insecurity is irrelevant, no amount of math is going to make any difference. But if that's their view, invite them to read about the devastating results of numerous incidents reported in just one week in June of this year.
How Do You Value the Integrity of These Institutions?
On June 7th, The North Jersey Media Group reported that New Jersey state law enforcement authorities were investigating the disappearance of lists containing personal information from a testing site of some 1,200 applicants for state and local law enforcement positions.
On June 9, Government Computer News reported, "the NASA inspector general has found that one of the space agency's centers has not put in place sufficient IT security to protect data and systems from possible compromise. On that same day, CNET News reported, "Add the U.S. Department of Energy to the list of federal agencies beset by theft of their employees personal data in recent months. Officials appearing before Congress on Friday went public for the first time about a hacking incident from last September that resulted in the theft of names, birth dates and Social Security numbers of 1,500 people working for its nuclear security division."
Again on June 9, responding to a massive theft in May of the personal data of as many as 26.5 million veterans, Veteran's Affairs Secretary Jim Nicholson said, "[We] remain hopeful that this was a common, random theft and that no use will be made of this data. However, we certainly cannot count on that."
From the Associated Press from Athens, Ohio, on June 10 came this news: Ohio University has suffered two additional electronic security breaches in which hackers got access to private information from the school's computer system. The FBI already was investigating three data thefts involving research and patents and private information on students and alumni, including social security numbers.
Isolated cases? Rare events? Hardly. That was just a few day's worth of top news in the network and desktop world of insecurity. These alone affected state agencies, federal institutions, and an established academic institution. Examining the record for the whole year will reveal compromises at brand name financial institutions, hotels and resorts, transportation companies, health care providers: well, organizations of every size and stripe virtually worldwide. Further evidence that it is not a rare event comes from NTA Monitor, which is Europe's leading Internet security specialist. Its 2006 Annual Security Report notes that 61% of companies tested have one or more high-risk vulnerabilities in their Internet connections. Another data point: go to Google News, type in data security, and in 0.69 seconds the search engine will give you 30,900 reports.
For management executives lulled into complacency over the illusion none of this can happen to them, this recounting has to have a sobering effect. For IT professionals facing the annual dilemma of taking security off their shopping list so that productivity enhancers can be bought, they already know how these incidents can affect productivity But, if the standard ROI formula is going to be imposed, it's no use. But the new math involving the Return on Integrity may work. Here's why.
Veterans are suing the VA. Analyst reports this year show that online consumers of financial services will not bank with institutions believed to be lax in their security measures. Consumers of health care services have more or less single-handedly driven the formation of file transfer compliance rules at the federal level to safeguard their personal medical records. Today, an investment in security measures may in fact be a competitive advantage for companies that see the value of data integrity and their reputation in a market where rivals may be slow to take up the cause. But rather than attempting to force fit the various solutions into an ROI formula, the Return on Integrity math relies more heavily on a risk assessment versus a reward incentive. What is risk assessment?
In a recent Network Computing viewpoint by Chad Korosec, who is a senior information security engineer/scientist with MITRE Corp., this overview of risk assessment on the part of IT professionals is offered: "Risk assessment, which we define as the process of identifying factors that can negatively influence operations and an executive's ability to make informed choices, has been around for years as a means of gauging the status of a company's assets versus potential risks. Like most activities in business, it focuses primarily on the bottom line. An infosec professional's role in risk assessment is to determine the cost to the organization if particular vulnerabilities are exploited." Worth reading in its entirety, Korosec's article says risk assessment should be a never-ending process. And while his focus is on IT professionals like him, his words apply equally to senior business managers who share the same hopeful attitude about security.
All too often, IT pros who should know better function in an "It won't happen to us" mindset. When "it" does happen, we're caught off guard. There's a reason police officers take target practice, even though they may never draw their weapons. Wait until a crisis hits to plan, and your ability to react effectively will be impaired. Look at the daily news reports about organizations experiencing loss due to attacks against systems with known vulnerabilities--even a half-hearted risk-management effort would have caught these basic vulnerabilities.
The Next Calculation: How Far, How Fast, on How Little
Some senior executives and even some within the IT professional community seem to think security solutions carry a heavy price. Some do for some threats. There's no question that if you set out to create the perfect set of security solutions to protect everything from the perimeter in to every desktop 24x7 - a goal that unfortunately is not possible yet because people take their laptops home and bad things happen outside the control of the company - the costs would be very high. But often overlooked are the many routinely available, proven and low-cost solutions that fill a huge hole in the security need.
In a way, for this exercise, we're doing what professional mathematicians and engineers do when certain problems are just too big. They break the big problem into small problems to solve first, after which the bigger issue can be resolved. For example, I would submit that there are a couple of areas where small changes can make an instantaneous difference to the typical risk assessment. As everyone knows, email, file transfer, instant messaging and a handful of other prevalent computing routines are the source of most security threats to a system. It stands to reason that data in transit, out and over the Internet and back represents a wonderful opportunity for intruders and abusers to attack.
Secure file transfer products, built to industry standards, have been available for twenty years. They're getting better and better as more and more vendors build in more and more security features. E-mail is another honey pot for people with malicious intent. Spam, spyware, bots, worms, Trojans--all sorts of security vulnerabilities often latch on to e-mail for a free ride into a corporation's data treasuries. But again, e-mail products with proven encryption and decryption capabilities exist from multiple sources. Often the encryption technology comes from a best of breed provider with a long history of thwarting threats. And the cost difference between an ordinary wide open unprotected e-mail service and one that includes a security implementation as well is incremental. Conquer file transfer vulnerabilities and email security flaws - and instant messaging too in some cases - and for minimal added expense a huge range of the most likely sources of problems has been eliminated.
One Last Encouragement and It's Based on Numbers Most Important to You
In the last two years especially, survey after survey tracking the essential elements of a successful IT career in business have all come to the same common conclusion: for IT people to expect a place among the ranks of senior corporate executives and at the table in the boardroom, we all have to think, act and talk more like business strategists than technology advocates alone. These surveys site example after example if IT professionals who have mastered the art of converting arcane technology developments into a presentation of relevant business benefits a ssociated with the various implementation options. Senior corporate executives probably can not be expected to understand exactly how a bot transits a browser to lie in wait or how many Cray computers over how many years it would take to decode today's advanced encryption solutions. They're likely not interested in the standard definition of file transfer protocol.
Obviously, in some cases, this transition from features to benefits for a business-minded audience is easy. After all, who doesn't understand the benefit of collaboration solutions? These products let people do new things. Advanced network management products bring new capabilities that optimize network efficiency and reliability. But when it comes to security, we all have to acknowledge that the conversion to hard and fast business benefits is more difficult. Security doesn't necessarily let anyone do anything more, new or different: it just prevents something old and bad that might occur from actually happening.
Think about it. Your organization can have the best and the latest of everything that brings new computing capabilities to the workplace, but if all of it is brought to its knees by malicious code, none of what you own is worth anything. The biggest Return on Investment that security solutions may deliver to your organization may lie in the ability of these add-ons to protect the Return on Investment of everything else in your IT infrastructure. If you weren't an IT professional, but instead the CEO of an important business, wouldn't you want your IT specialists bringing this message to you loud and clear? Of course you would, because in the end, it's simply a matter of Integrity.
What is the ROI of a College Education, Marriage, Children?
IT procurements continue to be held to a Return on Investment standard that we're seeing in some instances is a poor indicator of real predictive value. Yet, at the same time, all of us in any corporate setting see investments being made in unrelated areas outside the IT arena that, like security, can't pass the traditional ROI test either. Can a hard number be put on the ROI of more modern workspaces, of keyless entry systems, of ergonomic seating for example? Speaking strictly to the traditional definition of ROI, the answer is no. And yet, few people question the general sensibility of betterments in these and other corporate categories. That sort of thinking - along with a set of numbers we're best able to calculate - needs to come to the security question because as in real life, as in real business, it's how some of the most important and best decisions are made.
What, for example, is the ROI of getting a college education? There's no question that a set of numbers can be contrived showing how college educated men and women earn more absolute dollars over the course of a professional career. But is this the primary, principle, long-term reason why people seek a higher education? Put another way, if the numbers showed that people could make more by avoiding the university and becoming stone masons, how many of us would forego college on the basis of that ROI. Similarly, endless surveys over long periods of time prove that married couples with children live longer, happier, healthier lives. The classic ROI formula can be processed with these facts. But is that really why anyone marries and has children?
When it comes to corporate computing security a tremendous range of numbers can be brought to the table: the cost of replacement systems for desktops and laptop rendered permanently inoperable by malicious code; the cost of a 100% work stoppage for consecutive days while network infestation is cleaned. But of course these numbers can't be plugged in to the traditional ROI formula because there's one mathematical expression that won't compute even with all this data.
That expression is: the cost of these solution times the number of devastating incidents with which we may be threatened.
But just because there can be no certainty that any organization will fall victim to a viral intrusion, for example, doesn't mean security investments deserve a wholesale rejection on this basis. That's because, like other major decisions in life and in business, there's a set of softer numbers and more intuitive realities: what's the cost to a business' competitive position and market reputation should the theft of proprietary data files under the company's care and stewardship be reported on the front page of The Wall Street Journal. Does it matter that this may never occur? And, by the way, if we reflect upon the rate at which news about major data breaches is being reported today, the chances that someone will try to transcend your network perimeter and corrupt or steal your data is nearing 100%.
Nowhere is a corporation's integrity more at risk than in its stated or implied compact with its customers and employees to preserve and protect people's privacy; to safeguard identities; and to honor the expectations of all of a corporation's various audiences, including investors, to remain available and operational. Sure, a corporation theoretically could exist for years upon years with a security incident. It is possible no employee's desktop would be corrupted or breached; that nothing sinister would enter the network perimeter from the outside world. But what is the cost to a corporation's integrity - it's value in the eyes of people - if and when any of these events happen. And, as you know, they do happen, with increasing frequency.
About the Author
Richard April, Vice President of Marketing, joined Ipswitch in 2006 and brings nearly 20 years of experience in the security, software, networking hardware and computer industries. April is a driving force in all of Ipswitch's global marketing programs and leads innovative initiatives in channel, Internet, marketing communications, market research and product marketing. April brings extensive experience in start-ups, with a proven track record of successfully launching products and developing marketing programs that lead to significant increases in corporate growth and profitability.
Ipswitch, Inc. develops and markets software that works for small and mid-sized businesses worldwide. More than 100 million people use Ipswitch software every day to collaborate via Ipswitch Collaboration Suite, monitor their networks with Ipswitch WhatsUp®, and transfer files over the Internet using the market leading Ipswitch WS_FTP® Professional client and Ipswitch WS_FTP Server.