Risk is key to calculating return on data security investments
“You can’t prove a negative” is a phrase that’s often quoted during any discussion on the ROI of data security solutions. The idea is that the best possible return on security investments is, absolutely nothing. No hack attacks, no virus infestations, no exposed data, no employee malfeasance.
But companies are no longer content to accept “nothing” as a valid statistic. Many want to accurately quantify their return on data security investments (RODSI), according to a study conducted by Protegrity of visitors to their booth at this year’s RSA Conference 2007.
The study also revealed that national and state privacy laws are the main driver of most companies data security plans in 2007, with Sarbanes Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) compliance both coming in a close second.
Additionally, RSA attendees estimated that the cost of a publicly reportable security breach could easily top ten million dollars, with many breaches costing between $4-10 million to remediate.
Over three-quarters of respondents of the survey stated that they are or have been asked to calculate RODSI, and some were struggling to come up with a usable formula with which to perform the analysis.
In response to the survey, Protegrity has developed a Risk Analysis Model that establishes a business’ inherent potential exposure to security threats due to the type of data that business generates or collects, and then factors in the unique operational, policy and procedure, and technology risks present in that specific business.
“The process allows every business to calculate their RODSI, and also functions as a security self-audit,” said Gordon Rapkin, president and CEO of Protegrity. “Focusing on data security is a new way to calculate security ROI, which has always been difficult to quantify accurately. Our RODSI Risk Model gives you a much clearer picture of the benefits of a proper data security plan – and helps companies develop, refine and implement their own data security initiatives.” And while compliance with government and industry regulations is obviously a worthy goal, Rapkin said that focusing solely on compliance is not the best way to ensure the greatest ROSDI.
“CIOs and Security managers will tell you that security is a process not a project,” Rapkin explained. “While the majority of the companies who participated in our survey have excellent data security plans, some companies only do the bare minimum to comply with regulations and then get stuck in an endless loop as regulations change and they scramble to comply with new rules.”
“Instead, we suggest that companies conduct risk assessment to determine the real needs of their particular business and develop a plan to fit those needs. That’s a great way to guarantee the best RODSI.”