Calculating ROI On Data Security
Apr 1, 2007 12:00 PM
The adage that “you can't prove a negative” is often quoted during any discussion on the return on investment (ROI) of data security solutions. The idea is that the best possible ROI on security is “absolutely nothing” — no hack attacks, no virus infestations, no exposed data, no employee malfeasance.
But companies are no longer content to accept “nothing” as a valid statistic, according to a study conducted by Protegrity, a provider of data security management solutions. In fact, many companies want to accurately quantify their return on data security investments.
A survey of visitors to Promisec's booth at this year's RSA Conference reveals that national and state privacy laws are the main driver of most companies' data security plans in 2007, with Sarbanes Oxley and the Payment Card Industry Data Security Standard compliance both coming in a close second.
Additionally, RSA attendees estimated that the cost of a publicly reportable security breach could easily top $10 million, with many breaches costing between $4-10 million to remediate.
More than three-quarters of respondents to the survey stated that they are or have been asked to calculate ROI related to data security, and some were struggling to come up with a usable formula with which to perform the analysis.
In response to the survey, Protegrity has developed a Risk Analysis Model that establishes a business's inherent potential exposure to security threats due to the type of data the business generates or collects, and then factors in the unique operational, policy and procedure, and technology risks present in that specific business.
“The process allows every business to calculate the ROI of their data security, and also functions as a security self-audit,” says Gordon Rapkin, president and CEO of Protegrity. “Focusing on data security is a new way to calculate security ROI, which has always been difficult to quantify accurately.”
While compliance with government and industry regulations is obviously a worthy goal, Rapkin says that focusing solely on compliance is not the best way to ensure the greatest ROI.
“CIOs and security managers will tell you that security is a process not a project,” Rapkin explains. “While the majority of the companies who participated in our survey have excellent data security plans, some companies only do the bare minimum to comply with regulations and then get stuck in an endless loop as regulations change and they scramble to comply with new rules.”
“Instead, we suggest that companies conduct a risk assessment to determine the real needs of their particular business and develop a plan to fit those needs,” he continues. “That's a great way to guarantee the best ROI.”
Want to use this article? Click here for options!
© 2014 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.