Security investments remain a tough sell

RSA Conference 2007

Corporate IT security staff continue to struggle with balancing security investments and business priorities.

Funds spent on security cannot be measured as a return on investment because they may or may not prevent a disaster.

In regulated businesses such as banking, insurance and medicine, security is mandated by regulations, but this does not completely alleviate the problem.

"Companies further along the security curve are saying: 'I spend lots of money on security. All I can tell my chief financial officer is that he can sleep well at night because I'm spending all this money,'" Arshad Matin, vice president for compliance and risk management at Symantec, said at a company event during the RSA Conference in San Francisco.

"They are looking for ways to quantify the benefits in a way that business leaders understand."

Christopher Leach, chief risk officer at First Horizon, recommended that companies treat security risks as a potential system outage to estimate the potential risk and justify investment.

"As soon as you put it back into business terms, [senior management] understands it and you're done," he said.

Return on investment is difficult to measure. If a security breach brings down a transactional system, the damage can be quantified fairly easily.

But in the rare case that an incident becomes public, a firm's reputation and stock price are also likely to suffer.

This requires enterprises to shift security policies from a reactive mode in which they respond to incidents, to a proactive mode in which they actively try to prevent incidents.

This in turn changes the jobs of a firm's security staff from plugging holes to educating business lines about the costs in case of an incident and building a consensus about the best solution.

"But the challenge to that approach is that the chief security officer is held accountable," warned Leach.