CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Commentary: Misunderstanding security's value

While in the boom heyday, IT managers' spending decisions were rarely questioned, a Forrester expert says today's cautioned environment makes for deeper thinking about security.

Commentary: Misunderstanding security's value
By Forrester Research
Special to CNET
July 31, 2003, 1:00 PM PT

By Steve Hunt, Vice President, Forrester Research

A client recently asked me, "When the IT security industry will enjoy its next 'pop'? When will customers spend again like they did in 2000 and 2001?"

In the years preceding 2000, most companies relegated information technology security decision-making to specialized IT staff. Those individuals were commonly security professionals who had the best interests of the company at heart. They worked hard to identify threats and vulnerabilities to the network and systems, and they tirelessly pursued greater security awareness and more sophisticated technical functionality. Unfortunately, it was exactly this focus on security and technology that later backfired.

During 2000 and in subsequent months, the global economy began tightening. IT security managers were put in a position they had never experienced, namely, being required to justify their expenditures. That is, IT security was always understood by senior management to be somehow necessary, but those managers rarely required normal cost-benefit analysis on security initiatives. They just trusted that the security professionals were doing the right thing.

By 2001, it was common to hear IT security managers requiring vendors to help them with a return-on-investment analysis or to help them put security into "business terms." After Sept. 11, 2001, security managers fell under even more pressure to manage costs while improving security.

Related story

A centralized early warning
system for Internet security alerts
could be in place by fall.

Today, IT security suffers as a market, because neither the vendors nor the prospective buyers understand the value to the business. It is not clear how more firewalls or better security processes will improve the bottom line. It is far from certain that intrusion detection makes a company more secure. And it is questionable at best whether penetration testing makes the company better.

Until the vendors and buyers find a rationale for buying security products and services that demonstrates real value for the company as a whole, the market niche will only be attractive to the few, rather than to many.

The key to revitalizing the IT security market and to demonstrating the real value of security is to understand how technologies and processes create opportunities for a company to achieve its goals. In short, security must be measured as an enabler--not as a thing that merely keeps bad things from happening.

But that is not as easy as it seems. Vendors are lining up right now to tell you how your business couldn?t even exist without security; security therefore "enables" your entire business. But with that reasoning, there is almost no limit to what you ought to spend on security.

The leap of logic that most people make, if they even get this far, is assuming that security is the variable that makes all other investments successful. That is wrong, of course. Here is an example from economist Robert A. Book:

If I am a bank manager and I have a business requirement to reduce capital expenses that are related to bank tellers, I can eliminate those jobs and put all the money on street corners with a piece of paper that says, "Take what you want, and let us know how much you took so that we can balance your account." Or I can simply lock all the doors to my bank branches so that no bank tellers are needed.

Both ways enable me to achieve my business objective of reducing the headcount, but neither is feasible for reasons that have only a little to do with security. The solution is to put the money in ATMs (automatic teller machines) on street corners and to give customers plastic cards and PIN (personal identification) numbers.

Without the security measures of PINs, plastic cards and secured ATMs, that initiative would be unsuccessful altogether. But the value of security to the bank manager is not the total savings, nor is it the difference between his capital savings and the costs of deploying ATMs.

Security is only a small part of that delta. By measuring the benefits of the entire ATM project and the extra benefits in terms of flexibility enjoyed by the bank, we can deduce that a fraction of that value is due to security.

Measuring the value of security is not impossible, but it is easy to do wrong. Focusing on security can brings about misleading conclusions. But focusing on the objectives of the business in the first place leads to the most important metric: to determine the real value of security.

This is a new language for security professionals, and it is not really in the comfort zone of most IT professionals. But the IT security market will not experience its next "boom"-- and organizations will not achieve true efficiency and effectiveness in their security initiatives--until they change their thinking.

© 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.