From time to time, I find myself sucked into discussions about the return on
investment of security. The discussion goes something like this: from a
business perspective, if security is an expense and I can choose to incur it
or not, why should I? I seem to have done just fine until today. Then, a
more enlightened issue comes up: if I understand the risk and I am willing
to take it, that means I have the choice of spending money on prevention or
remediation. Why not wait until something happens and then… we’ll call
you.

That just about describes the biggest misconception in business today.

A possible analogy that also gives my audience ample opportunity to disagree
goes like this: if I have to cross the highway on foot every day to buy milk
(picture Eddie Murphy in Bowfinger, running across the highway in tears) and
I have managed to do it successfully for seven days in a row, why not keep doing
in until I get hit and then I’ll deal with it depending on how badly I’m
injured? Who knows, maybe it won’t hurt that badly anyway! Imagine the
savings.

I mention this particular issue because I find, based on industry
statistics, the lack of awareness to be absolutely staggering. Businesses
from the ‘micro’ level to multinationals equally ignore a risk that changes
every day. This risk created worldwide losses of $US55 billion last year due
to viruses alone. I say this because manual attacks perpetrated by humans
instead of software alone are much more damaging. Hackers, thieves, identity
theft, wireless breaches, insider crime, and downtime start as crimes of
opportunity or revenge. They affect organizations like many that you can
probably think of with no budget for this sort of thing, and without a
security strategy that can be explained with a straight face.

The fact is, insurance is a part of doing business and it does serve a
purpose: to provide financial compensation for losses incurred as a result
of an unlikely disaster. While there exist obscure cyber-security insurance
policies, they are not a solution any more than say… a financial
settlement after you’ve lost the use of your limbs in an ‘accident.’ In the
case of remediation efforts and incident management, a recent survey shows
that the cost of fixing a breach or a loss after it’s happened can be about ten
times higher than the cost of planning for it and anticipating it.

Prevention is the only way to protect the intangible information assets of a
business, the soft, squishy stuff that accounts for up to 80% of its value
(Wleugel, Dowdall, Grange 2003). Prevention means building information
security into your business processes, aligning your policies with those of
your suppliers, hardening your systems, and educating staff.

Yes, education! Stop worrying about signing up for the latest Web-based
tutorial on how to extract another 5% use out of Microsoft Word. Print a
tutorial leaflet and let your staff read that before going to bed. Instead,
management needs to worry about the fact that their frontline workers are
unprepared for any situation that threatens a company’s assets. Hey, if it
doesn’t show up in financial statements, it’s not happening, right?

Well, guess what? According to a recent FTSE350 survey of public companies,
50% of them don’t think security has anything to do with share price and
public perception. Unfortunately for them, 83% of investors do think so and
a quarter of them would immediately take their business elsewhere.

Even more outrageous, 71% of executives think that security - the security
of their business assets - is the responsibility of their IT staff. Again,
87% of investors say they will hold executives personally accountable. Under
new legislation, in fact, they’ll also get 20 years in jail to ponder the
situation and understand how that liability stuff works. A good information
technology professional will advise management and business owners to adopt
proper risk management. In fact,
I published a press release
this week to that effect. Hundreds of media outlets have seen it. Will it have an impact? I hope so.

Now about my point, which is that, in fact, there is a substantial return on
investment from security. Obviously, this is something that costs money,
just like rent, computers, training, etc. However, unlike those things,
clients care about the degree to which a business protects their valuables.
Between two competitors, the one that would be more likely to gain my trust
is the one that impresses me with its safeguards, compliance, and general
security awareness. That’s generally how we all pick a ‘good’ mechanic.
Let’s face it, the difference between a good mechanic and a bad one is how
they treat your car and how they take care of you. Just like customer
service, security safeguards represent an aspect of business that can and
often does close a sale.

In addition to that, security preparedness makes money by avoiding losses,
liability, retrofitting, emergency incidents and productivity losses. I’m
talking about the difference between spending $100 on protection/prevention
or $1000 on hasty repairs in the very best case scenario. With proper risk
management, a business can increase security without increasing spending,
streamline processes, and extract valuable incremental productivity.

So if you ask me whether security makes you money, my answer is yes.
Absolutely. The more valuable the business, the more money you keep by not
waiting to lose it first.

For more biased commentary, tune in next week.

Claudiu Popa is an executive security advisor. A previous contributor to
Lockergnome, Claudiu publishes The PULSE, a quasi-monthly e-mail newsletter.
As president of Informatica Corporation in Toronto, he spends most of his
time forcing security awareness on unsuspecting employees, managers and
business owners who would rather do something else.