ROI by Any Other Name: The Payoff from Network Security

What is a Firewall?

Is a firewall a magic box that lets the good in and keeps the bad out? Jimmy Ray Purser helps you understand what a firewall is and how it works. (1:55 min)

Viewing this embedded video requires the latest version of Adobe Flash Player with JavaScript enabled.

Get the Flash Player

What is a Firewall?

Is a firewall a magic box that lets the good in and keeps the bad out? Jimmy Ray Purser helps you understand what a firewall is and how it works. (1:55 min)

Network security is like a bike helmet. To decide if either is a smart investment, you measure the harm it can prevent, multiply that by the odds, and weigh the result against the solution cost. It's no surprise that bike helmets and firewalls are very popular purchases.

The Name of the Game: Cost Savings

Some argue that return on investment (ROI) analyses don't really apply to network security purchases because security doesn't usually increase a company's revenues.

But if your concern is business financial results, cutting costs can be as valuable as increasing revenues. A smart question to ask is, "What could happen to our business if we don't have protection, and how much would it cost us?"

Preventing security incidents reduces these "hard" costs:

  • Revenues lost when a hacker takes down your sales website
  • Lost productivity when a virus takes down laptops, PCs, or servers
  • Productivity lost from employees having to manage spam-clogged inboxes
  • Theft of information, ranging from new product plans to private customer payment information
  • Assets lost to phishing attacks that fool employees into revealing passwords that hackers use to access bank accounts or company applications
  • IT overtime costs to clean up after infections

Start with "Hard" Cost Savings

Many experts recommend that instead of using ROI, you evaluate the business case for network security investments using a model called annualized loss expectancy. Here's how it works:

  1. Calculate the cost to your company of each type of security incident if you do nothing. Include the hard costs. For example, if private customer records are stolen, add up all the lost data costs (fines, litigation, recovery costs, etc.) plus the time and money it would take to rebuild your company's brand and regain customer confidence. Another example: If a virus attack takes 30 employees' PCs down for two hours, and the burdened costs of the employees are $38 per hour, you lose $2,280. Add to that the labor cost for an IT administrator to repair the damage.
  2. Multiply the total cost of each type of incident by the likelihood that the incident will occur during a year. Make an informed guess. From personal experience you might estimate that the chances of receiving spam are close to 100 percent, while the odds of a virus that takes down a PC or web server for an hour might be 50 percent. A resource for the probability of different types of attacks is the Computer Security Institute Annual Computer Crime and Security Survey, in the section "Frequency, Nature, and Cost of Cybersecurity Breaches."
  3. Compare the resulting annual cost figure for each type of incident to the cost of a network security solution that would help keep it from occurring.

Here's an example, using spam as the type of incident: You have 100 employees; their average salary is $50,000. Each receives an average of 60 emails daily, of which 40 percent are spam. If it takes five seconds to delete a spam email, each employee loses 8.33 hours during a 50-week work year, meaning $20,825 in lost productivity annually. A spam-prevention solution that costs that amount or less will quickly pay for itself.

Add in the "Soft" Benefits

The financial analysis becomes even stronger when you add the "soft" benefits, such as:

  • Improving customer service by keeping your web and business applications available
  • Becoming eligible to work with customers that require vendors to meet their security requirements
  • Enabling compliance with regulations such as the Payment Card Industry (PCI) and the Health Insurance Portability and Accountability Act (HIPAA)
  • Having a secure network foundation that enables unified communications for collaboration and better customer service

The Payoff

The parent of the child with the bright pink bike helmet wasn't bogged down by ROI discussions, and you needn't be either. Just ask, "What could happen if we don't have a security solution, and how much would it cost?" A content filtering solution that will cost $2200 and save your business $20,000 improves your financial results by $17,800.

Next Steps

Find a Local Reseller

City/State/Zip:

Country:

Business Heroes

Get innovative business insights and share your ideas, visit the business advice blog, "Business Heroes".

Visit blog