Can we really talk a Return On Investment (ROI) with information security? Most people view security as a kind of insurance policy – you pay out, year after year, and if you do it right, you never have to claim. So there’s always a temptation to cut costs – which only hurts when something goes wrong.
However, Colin Tankard of Digital Pathways believes that organisations are failing to see the positive side. He argues that there are measurable benefits – that you can see an improvement in the quality of the business because better security also improves processes and procedures. It forces people to do things in more effective ways, rather than in a slapdash or ad hoc manner that is neither secure nor efficient.
Good security reinforces good business methodologies: it can be something as simple as files being in the places they should be. And they’re there because you’re enforcing rules required to prevent data leaks. Firms that conform to regulations such as PCI DSS generally have a better idea where their data is. Security also enforces improvements to infrastructure that may reduce things like helpdesk costs. And if you’re carrying out regular server patching, that also means you’re paying closer attention to your infrastructure and are more likely to spot issues, which is good for business continuity.
Is ROI the right term? it suggests greater earnings, but aren’t we really talking about making savings? Tankard argues it’s all about the word ‘investment’ – about getting something back for the money you’ve spent on security.