Definitive Measures:

Return on Security Investment can give CIO's a False Sense of Survivability

Technologies that reduce risk are the most difficult to justify, especially in traditional financial terms like ROI, IRR and NPV. Unfortunately, the proliferation of large networked systems and off-the-shelf software make critical applications inherently less secure. CIO's must address this quandary by including sound business contingency scenarios in security and disaster recovery plans.

Much has been written about the return on security investment (ROSI) and the ROI of disaster recovery (DR). This trend is largely in response to frustration among senior IT managers who believe fear is the only effective way to sell business executives on technologies that reduce risk. The problem is traditional financial measures of purely technical solutions provide an incomplete picture of the options available to an organization serious about dealing with these challenges. IT executives need to understand the broad spectrum of contingency planning options so they don't get caught in a trap of defending security and DR solutions that are inadequate and expensive.

Several reasonable techniques of measuring security and DR ROI have emerged. These models rely on analyzing influences including the frequency of an event (e.g. intrusion, disaster, theft), its severity (e.g. loss of productivity, revenue, cost to recover) the cost of reducing exposure to such events and the potential reduction in loss. While these approaches are perfectly defensible, their very nature entices technologists to focus almost solely on the resilience of systems (and the technologies of resilience), rather than the mission of the business.

The bottom line is that by over-emphasizing investments in technologies that minimize security breaches and long outages, we risk under-investing in the management of business contingencies. In reality, contingency planning is as important as the underlying technology that protects our systems. If a system fails, the survivability of the business process is of immediate and paramount importance. Anyone familiar with hospitals knows that the business operation can't come to a halt if IT fails. There must be a manual backup process that allows, for example a doctor to obtain a patient's blood type.

In 1997, the Department of Defense and Carnegie Mellon's Software Engineering Institute published a groundbreaking paper on network survivability (R.J. Ellison, et. al "Survivable Network Systems: An Emerging Discipline"). In the paper, the team presented the notion that large-scale distributed network systems are "unbounded," meaning they have no single point of control, no unified security policy and hence face significantly increased intrusion risk (we all know that no system is fail-safe). The paper argued IT leaders should consider that survivability (not to be confused with system resilience) means preserving the mission of the system even if that system is compromised and becomes inoperable.

This definition of survivability is significant to technology executives in that it expands the concept of risk mitigation well beyond existing systems. Specifically, risk management strategies must consider alternative scenarios to deliver services in the event that critical systems are unexpectedly interrupted. The role of technology executives in this regard it twofold: 1) Actively participating in alternative scenario planning and 2) Ensuring the technical viability of the alternative solutions deployed.

While it is unlikely that IT can (or should) own the process of business contingency planning, a cross-functional view makes the CIO an effective facilitator. The CIO is in a unique position to look for solutions that combine system resilience with mission survivability. A good example is call centers. It is common for an organization to have two separate call centers supported by two IT infrastructures. This expense is justified by the need for failsafe customer service. Some organizations however outsource a portion of their call center needs and the IT with it. The outsourcer provides ongoing call center and IT services in addition to business contingencies.

Email is another good example. Some organizations have realized they can reduce the cost of email resilience and provide business contingency by outsourcing a part of their email and loosely connecting the two systems. In one case, a large publisher provided lower cost/lower function email to a subset of its users (a capability not readily available on its in-house system) while providing a Web-based backup capability to its power email users.

Alternative risk management scenarios might include cooperation with partners, or in certain instances direct competitors, to agree on reciprocal contingency plans in the event of a disaster, security breach or other unplanned outage. Financial arrangements and legal agreements can be in place to compensate and protect the parties with assurances to provide services in the event of a critical interruption of a system. This approach can be significantly more economical than a purely technical solution.

There are numerous examples where a technical approach may not deliver tangible payback or is simply deemed too expensive by executive management. The kinds of contingency and survivability planning discussed above, combined with solid resiliency planning will be much more compelling to business executives and more likely to vie for funding. Far too little attention is paid in the IT community to rigorous business contingency planning. I strongly believe, in many instances, IT professionals are uniquely qualified to oversee and implement process-oriented risk management initiatives-even those with a limited technical scope. IT executives are in a strong position to actively participate in the tradeoff analysis between largely technical solutions and alternative risk management scenarios. As well, the technical viability, standards framework and testing of alternatives is undeniably the role of IT management.

Today, typical assessments to justify security and risk investments generally lead to requests for more firewalls, intrusion detection, PKI, encryption and a hoard of technologies desperately seeking ROI. The dramatic changes in the structure of large networked systems and their inherent vulnerabilities make purely technical approaches to minimizing risk exposures inadequate. The delivery of critical services depends as much on IT executives' understanding of the business objectives as the technical resilience of systems, software, networks and associated security policies. While it is obviously not the responsibility of IT executives to "own" business-oriented contingency planning, integrating such initiatives and new thinking into security and disaster planning is simply too compelling for IT to ignore. Indeed, risk management alternatives are dependent upon the participation of IT and a partnership with business constituents in this field is one that is destined to succeed.

ROI measures for security and DR have their place; but don't be blind-sided by the numbers.

David Vellante is President & CEO of ITCentrix, a division of Barometrix Software Corporation, a developer of Portfolio Analysis and Management solutions. He can be reached at dvellante@barometrix.com