Thinkstockphotos 466037875

There is no ROI for security. It’s like military spending!

| 15th August, 2016

When asked during interviews what keeps them awake at night, most CIOs and CTOs blurt out one word: security.

In most surveys conducted with CIOs, you will find security as one of the top priorities for IT management. The significance of security and its impact on businesses cannot be overemphasized. As the convergence between our virtual and the physical world deepens, the cyber vulnerability of businesses and governments also increases manifold.

Let us look at some data. There were 781 security breaches in 2015. On average, 216K records per breach were exposed. For example, if you looked at just banks worldwide, 3,961 of 6,799 banks experienced physical crime in 2014.[1]

Clearly, it is a precarious scenario. And CIOs, more than anyone else know that cyber security is critical for preventing security breaches.

Yet, if a CIO has to show adequate returns on investment (ROI) for security investment, he would be hard pressed to do so. It is true that businesses look for ROI whenever they make any investments. It is also true that one can invest in almost any IT solution (for example, email, ERP, HR, etc.) and calculate an ROI based on the direct benefits that solution brings to the organization’s bottom-line.

The challenge with security investment is that there is no formula for it as no matter how big the investment, it will never be 100 percent secure, and this is not what businesses want to hear.

Investing in security is like investing in military

So, what should a CIO tell his board when it comes to justifying ROI for security?

Investing in security is like investing in military. That’s what he or she should tell the board. The reason for that is that security is not an investment for profit but for loss prevention.

Every country assigns a decent budget to its armed forces—the objective is not to wage an unprovoked war but to safeguard its assets and borders. At the least, the country is ready to defend itself if there are any security breaches at its borders.

Just as low crime does not mean no crime, no breach does not mean there is no threat. Threats are constantly lurking around ever ready to invade your IT system.

So, what is the right amount an organization should invest in protecting information? Indeed, there are no magic formulas to arrive at a magic number. Organizations must invest whatever it takes to keep their IT security systems robust so that they are prepared for any eventuality. Those who are not prepared for such eventualities pay a heavy price[2].

On almost a daily basis now, we hear of an organization being hacked. We often hear that a telecommunications company has had its customer data stolen, or a retail chain has been ripped for all its customers’ credit cards data. Recently, there were reports of breach at LinkedIn, Adobe and Ashley Madison, where scores of member profiles became public. Cyber criminals had uploaded over 100 million LinkedIn email databases and hashed passwords online.[3]

In Asia, security breaches are occurring with an alarming frequency. For example, early this year, cybercriminals hacked into the SWIFT financial transaction network and stole money from the Bangladesh Reserve Bank as well as another Asian bank. The Bangladesh Reserve Bank heist resulted in $81m being stolen. The huge data breach suffered by the Philippine Commission (Comelec) in April 2016 was beyond embarrassing. Two hacking groups stole personal information, including fingerprint data and passport information, belonging to more than 50 million people.

So, security will continue to be a desperate need and CIOs need to change their own perception and the perception of the board when comes to measuring ROI for security. They need to step up to the plate and tell the board that there is no ROI. At the same time, they should make sure they collect the right security metrics to demonstrate to the board the right value of security.

[1] Source: Identity Theft Resource Center