Some security professionals argue that because their profession mitigates risk, it should be excluded from the need to return capital. Moreover, some make the case that project governance could be hijacked and reputation damaged if financial returns, based on an extrapolation of risk reduction, are not delivered.
That ROI-free attitude could be changing. Stuart Guest-Smith, former projects and operations director at software company Microgenx, said organisations that rely on e-commerce or already have instances of fraud occurring can more easily guarantee ROI.
“In this climate, everything IT puts forward needs a dollar value,” Guest-Smith said.
“Security is one of those grey areas with intangible outcomes — until something happens — so you have to be confident that the ROI you promise is what you can return.
“A few years ago, the rationale behind the value wasn't as scrutinised, but now all the CIOs and execs I know have to justify spend.
Security managers in most finance organisations have plenty of rationale for a business case, Guest-Smith said, including an immediate decline in active fraud. Those in other organisations should point to tightening compliance regulations, improved retail services and customer trust, and efficiency gains.
Other industry professionals say that ROI can be achieved by automating manual projects like identity management and provisioning.
CSC Australia CIO Stephen Kowal said audit and compliance teams can be potentially cut in half if security is made tighter and more efficient.
“Anywhere where there is a frequent spend on security can have an immediate benefit. Banks may have a certain amount of existing credit card fraud so there are direct financial gains when fraud drops from x to y.”
However projects may be crushed by management if they do not deliver on promised returns. IBRS security analyst James Turner said some inexperienced security managers may use dicey figures in an attempt to formulate ROI.
“It's the system being protected that makes the money, not the security. The minute you start using rubbery figures, you begin to make a loss prevention tool look like an investment tool which it is confusing, because governance people then see security as a way to increase wealth,” Turner said.
“Productivity experts will see through the small productivity gains from an identity management system, for example, and know they will never be realised.”
Turner said security professionals can use the potential costs of data breaches to help build business cases, and suggests using figures from AusCERT and the Australian Institute of Criminology.
Almost every business can make cheap but substantial improvements security by better integrating existing systems into the architecture, running audits and tightening policies. Assurance.com.au director Neal Wise said security managers should be more pragmatic about purchases and weight the cost of the product against the value of the asset.
“It's not hard to make a business case if there is a genuine threat, but the processes of risk management must show the likeliness of the threat is great, and that the cost of investment is less than the value of the asset,” Wise said. “The security industry can be guilty of proving solutions where the cost of the product is less than the asset, [however] organisations have a greater awareness of appropriate spend in security.”