Set HomePage - Favorites
HOT: Investing News
<-- AD960X90 -->0.0
Location: Home > INVESTING >

Making a return on IT security investment

2017-06-18 18:31 [INVESTING] Source:Netword
Guide:Computer Weekly invited some of the UK's top information security leaders to a roundtable debate, in association with Oracle, to discuss how to deliver business value in information security. Download this free guide Jargon-buster guide t

Computer Weekly invited some of the UK's top information security leaders to a roundtable debate, in association with Oracle, to discuss how to deliver business value in information security.

Download this free guide

Making a return on IT security investment

Jargon-buster guide to GDPR

The 10 most important things you need to know about GDPR, and a jargon-buster explanation for some of the key terminology.

Start Download

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The debate focused on how you measure return on investment, ensuring security by design, understanding the value of information assurance, security as a business enabler and how to ensure that the board understands the value of security, as well as the reputational and economic risk of getting it wrong.

How to measure ROI for IT security

Marcus Alldrick, senior manager, information protection and continuity at Lloyds of London, asked, "How do we demonstrate that information security has value?"

He said that if you provide a return on investment (ROI) to the CIO, then cost avoidance must be taken into account.

"Look at operational and helpdesk costs being reduced. Look at leveraging benefits, in terms of people, projects and practices. Security is not an enabler on its own, but it can be a disabler," he said.

Work out a bottom-line figure for security and show that ROI can be done in varying ways, said Callum Halliday, information security manager for the London 2012 Olympics.

"You can quantify things such as better user behaviour and reduced calls to the helpdesk or less incidences of virus infections. You can use the pound-sign for virtually everything, which will make the funding organisation more receptive," he said.

Security by design

Security needs to be built into systems from the beginning. As Martyn Croft, CIO at The Salvation Army, pointed out, "You don't want to buy a car and then be told, sorry the brakes are extra."

Mario Kempton, head of information security at the Serious Organised Crime Agency (Soca), said it is vital that security is present at the inception of any project. "Systems security should be cradle-to-grave, and embedded from day one, but there are no government guidelines in place."

Andrew Yeomans, vice-president of global security at Commerzbank and a board member of the Jericho Forum, agreed. "Security requirements must be stated up-front in the procurement process," he said.

But how security is designed and implemented will vary for different organisations, said Alldrick. "Every business is different. I don't think it will be a science. Security will remain an art, which is why best-practice is key. Security has a collaborative nature and no one model will work. It is a case of mix-and-match," he said.

Understanding the value of information assets

A fundamental challenge is to understand that "information has a value and you have to know what that value is," said Croft.

Des Powley, technical director of security and ID management at Oracle UK, said making distinctions in value is important. "Everyone has anti-virus. The challenge for me is how to you take it to a level where we see information as an asset where you can drive business value."

Brian Shorten, risk and security manager at Cancer Research, said, "Security is an asset, not an obstacle. The thing to get across in an organisation is the concept of toxic data; not necessarily in a Financial way - it can be anything that can hurt you. For example, what would our supporters think if we screwed up a drugs trial?"

Alldrick said, "Most of our risk assessment is objective. There are four options - risk can be accepted, managed, transferred or avoided. This data is worth this much. If the risk is accepted, get the job done and move on."

Mike Trevett, deputy director for IS and legal services at the Office for National Statistics (ONS), said, "If you lose a customer database, you can't just buy another one. It comes back to a risk management scenario."

Independent research consultant John Leach said that you put a value on information from several perspectives. "There are different angles: the value of information as an asset to generate revenue; valuing information from the point of view of brand risk; if something goes wrong with the brand and looking at value from a compliance point of view," he said.


<-- AD690X200 -->
<-- AD250X250 -->
<-- AD250X250 -->
<-- AD960X78 -->