ROI: How to make IT security pay

Feature by Steve Gold

Protecting your organisation's data should be money well spent. But how do you get the most out of your investment? By Steve Gold

Protecting your organisation's data should be money well spent. But how do you get the most out of your investment? By Steve Gold.

Ever since the arrival of anti-virus software in the mid-1980s, accountants and IT managers have argued about how to calculate the efficiency of IT security software. Now, with a raft of increased regulations in the wake of the UK's Companies Act 2006 and the Sarbanes-Oxley Act in the US, this debate has spilled over into the boardroom.

But can anyone actually quantify the return on investment (ROI) from modern IT security software? Opinion is divided on the issue, although everyone agrees that it is possible to cut the cost of implementing and maintaining an effective IT security system without adversely affecting efficiency.

In simple accounting terms, this has the effect of improving the ROI of an organisation's IT security system, even if the exact ROI cannot be accurately calculated. Here are some top tips to help savvy IT managers reduce the cost of setting up and maintaining their security systems without cutting corners.

Ensuring that employees are well-educated is one of the easiest ways to protect an organisation from most IT security threats.

The IT department should make a point of training all new (and, where appropriate, existing) members of staff on how to conduct business securely on the internet, both in the office and at home.

Ed Rowley, a technical consultant at Secure Computing, thinks IT managers faced with tight budgets should consider introducing “lunch and learn” sessions.

These can be quickly and easily organised by IT support staff without cutting into working time, while giving employees a chance to gain IT education they would otherwise not have access to.

Most organisations will have bought a range of tools to keep their IT resources secure, some of which may have fallen into disuse, even though the licences are still valid. IT staff should be encouraged to update and distribute these tools to all users.

Operating systems usually come with many integral security measures, but the default setting is off. Switching these security measures on is an easy way to boost protection. This also applies to firewalls, which, although often complex in nature, will protect a system from most unauthorised attacks.

Research from the IT Process Institute found that many IT departments are failing to use existing resources effectively and are wasting too much time on unplanned work. The survey also found that spending on IT compliance and IT control activities had increased sharply in the wake of tighter regulations such as the Sarbanes-Oxley Act, a US federal law passed in response to major accounting scandals such as Enron. The study, which can be downloaded from, found that the top performers had up to 37 per cent less unplanned work than medium and low performers.

Management should ensure there is a coherent policy in place across all departments. The procedures should seek to act pre-emptively rather than respond to individual threats. As Rowley points out, it is the responsibility of the IT department to ensure company policies on IT security are put in place.

Products may be able to assist with this task. Secure Computing claims its CipherTrust IronMail 6.5, released in June, can help to automate this area of IT security, as the product now includes an advanced compliance module, which, the company claims, offers category-based compliance optimised to reduce the administrative burden associated with protecting company information.

Organisations should invest in IT security systems that can be adapted to meet future requirements, as well as upgraded to maintain protection against the latest hybrid threats.

Opting for a well-known vendor can allow a multi-year support scheme to be purchased, effectively allowing the cost of the product to be spread over several years. Many vendors will agree to this kind of contract at sensible rates, on the reassuring basis that the customer will stay with them for a guaranteed period of time. It also allows the vendor to spread the cost of customer installation and customer staff training expense over a number of years.

A variety of Web portals and vendor sites now offer free alerts to be sent out to registered email addresses, either on a regular basis or via a ListBot emailing service. These alerts often act as a free education service for all levels of IT staff, advising them of the latest threats and how they can be countered, often using public domain or low-cost applications.

Make sure that your organisation is getting exactly what it requires from a support and maintenance contract. Policies should be updated and IT management should seek advice from vendors if they are concerned that a product, whether hardware or software-based, is not operating at peak efficiency.

Rowley believes vendor support is inevitably intertwined with company security policies, which should be reviewed and updated regularly.

Encryption is an underused function in many networking and communications applications. The default setting is usually either off or set as a low-power encryption system to save on processing power.

Modern IT hardware has powerful processing power, so IT managers should be quick to make the most of this capability to encrypt any data transfers, both across virtual private networks and the internet.

An example of this philosophy is full-disk encryption technology that can be built into hard disk drives, developed by Seagate. The DriveTrust technology, which will be seen in the company's new generation of drives, due for shipment early next year, automatically encrypts all the data written to the disk, making it inaccessible to anyone unable to input the correct password when the host PC boots up.

Although we'd like to think otherwise, we all make mistakes. Staff should be encouraged to learn from their own mistakes, as well as those of others, and take steps to ensure they do not happen again in the future.

The concept of a no-blame culture may seem at odds with the provisions of Sarbanes-Oxle, but an important part of the act covers issues such as auditor independence, corporate governance and enhanced financial disclosure.

These provisions mandate the management of any US organisation and, increasingly, of any organisation that does business with US companies, to ensure best practice in their IT and general business operations.

Encouraging a no-blame culture is viewed by many experts as a key foundation in establishing a best practice approach to all aspects of business operations, including IT security.

While all employee workstations need access to the company network, not all employees need direct access to the web. If internet access is not required, do not allocate it to the workstation.

Using this approach can save on software licences, as well as reducing the direct risk to users' applications.

Updates to various applications should be controlled and distributed on a centralised network basis.

Outsourcing is a method of cost control as it offers a fixed-cost approach to a given IT security function, as well as access to specialist suppliers.

Email security is an obvious candidate for outsourcing, as there are several companies offering managed email and email security facilities. According to Mark Sunner, chief technology officer at MessageLabs, email outsourcing also offers access to service-level agreements, something that cannot be achieved on an in-house basis. “We have 100 per cent guarantees on the amount of malware that gets past our servers,” he claims. “We've never let a piece of malware through.”


The cost of IT security is constantly rising as more and more complex hybrid threats evolve, says Dan Druker, executive vice-president of managed email security specialist Postini. At the same time, corporate clients are under constant and relentless pressure to cut their IT security costs.

“When I talk to potential customers, they have three main concerns: communications security, compliance and productivity,” Druker says.

The latter is key for most companies, as they are always looking for business efficiencies. “If you step back 20 years or so to the beginnings of the PC, companies started to discover the business efficiency of email. Then they realised the problems that viruses could cause,” he explains.

“Today, the regulators have discovered email and, as a result, many CIOs are on a knife-edge as they strive to protect their IT systems from all the threats out there.”

And then there's the cost of litigation, which, according to Druker, is significant. “All the CIOs I know seek to avoid the risk of litigation, so they want a cost-effective and efficient IT security system that prevents any legal problems from arriving at the company's door at a later stage.”

Druker argues that while many companies are actively seeking to cut IT security costs, extra funding can also be tapped into, if the CIO knows where to look. “CIOs on both sides of the Atlantic tell me that they spend about six to eight per cent of their revenues on IT security. But their management is also budgeting to spend a further ten per cent on compliance,” he says.

“Compliance doesn't just mean adherence to laws such as Sarbanes-Oxley or the Companies Act in the UK, it also means seeking to protect yourself against possible litigation.”

A good CIO, says Druker, can tap into the compliance budget and spend it on a managed communications system, including managed email, to protect the security of the IT resource. This means, he adds, that the company can shield itself against the rising tide of email-borne threats without having to tap into the mainstream IT security budget.

Mark Sunner, CTO of MessageLabs argues that companies should be able to cut their IT security costs by asking their internet service provider to filter their email and general internet traffic.

“This is a basic requirement of a good ISP. You wouldn't, for example, expect to have to boil the water that comes out of the tap in your home or office, so why should you be expected to do the same with your internet data,” he says.

Another growing IT security cost, adds Sunner, is the cost of handling the rising tide of spam that threatens to engulf many aspects of the internet.


Global chemical company BASF, probably best known for its magnetic tapes business, wanted to cut IT security costs without compromising the efficiency of its IT security systems. BASF's problem was its size – it employs around 81,000 people in more than 170 countries – and the fact that it wanted to have a global email address.

This made it a high-profile target for spam and virus attacks from malicious and financially motivated hackers of all types, according to Postini, the message management company BASF turned to for help.

By taking a managed approach to its email service, Postini says the firm, whose headquarters are in Germany, was able to reduce the costs of protecting its email systems from attack while actually increasing its level of security.

Brigitte Buchsrucker, a senior specialist in Information Services (IS) architecture at BASF's global IS competence centre, wanted to build a cost-effective, highly available and secure messaging infrastructure for the company. Considering BASF's size and worldwide reach, Buchsrucker says executive staff consider email a business-critical application.

The company had recently decided to consolidate its multiple internet mail domains into a single global one. While this clearly generated economies of scale, as well as general efficiencies for the company's email systems, it also raised the profile of the firm for malware and hacker-originated email attacks of all types.

As a result, BASF decided to opt for a managed email service. “We expected that the simpler global email address would significantly increase the probability of spam and virus attacks in all our regions, so we wanted to pro-actively address the business risk by blocking spam and viruses even before they entered our company's email servers,” Buchsrucker explains.

In addition to cost, service levels, functionality, and security, BASF requires its service provider to route mail through two different regions. The ability to customise the handling of different mail streams and comply with German, as well as international data security and privacy requirements, were also key factors.

The company selected Postini, which had already set up multiple data centres around the world to address specific language, cultural, and security requirements.

Over the first weekend, Postini says it successfully migrated BASF's 35,000 European email users over to its managed service, closely followed by a further 25,000 employees. On average, Postini says it now processes around 370,000 incoming messages a day – approximately 11 million per month – using its Perimeter Manager Enterprise systems for BASF.

While the spam reduction figures are not yet available, according to BASF the virus protection has been flawless and requires very little administrative effort, further saving the company direct and indirect costs for its email services.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events