- Category: August 2013 - Data Protection & Security
According to Forrester’s 2012 report „Determine The Business Value of an Effective Security Program - Information Security Economics 101“, it is almost impossible for chief information security officers (CISOs) to meet all of the modern organization’s security demands. CISO are evaluated not only on technical performance, but also on how he or she manages information security as a business.
In the report Forrester presents the “Information Security Value Model”, which can be used to calculate the financial value that information security provides to the business in terms your executive colleagues will understand. We hope this summary finds you curious about the full report, which is available at forrester.com.
The job of a CISO is not easy. Not only are they constantly faced with new technologies, cyber threats and regulations, but they continually have to prioritize their security spending, too.
Due to the well-developed business plans of cybercriminals, the situation is to their advantage:
- They don’t need to spend a lot to steal a lot: Attackers looking for private information demonstrate surprising efficiency.
- Well-defined markets exist for stolen information: There is an underground economy, where supply and demand set prices just as they do for other goods and services.
- State-sponsored agents operate under their own rules. A wave of China-based cyberspies mounted successful attacks on networks of at least 760 companies, research universities, Internet service providers and government agencies, over the past decade.
According to the report, CISOs are at a competitive disadvantage while the cybercriminals have well-developed business plans - but they do not. CISOs use various means to estimate their budgetary needs. One approach is to benchmark against what other firms spend on security, another is to peg spending as a percentage of IT costs. These approaches don’t satisfy either the CISO or senior management and don’t represent a sound business case.
Some of the biggest challenges CISOs face today include:
- CISOs don’t align security objectives with corporate strategic or functional objectives.
- CISOs use very few quantitative measures to support the budgeting process.
- CISOs use last year’s budget to determine this year’s budget.
- CISOs don’t consider information asset value.
Forrester‘s Information Security Value Model
Forrester‘s idea of allocating revenue to information assets is new. Using their method, CISOs can develop a security budget that is more aligned with business needs. Since it has a focus on the revenue streams that feed the business, it is a better way to account for not only the cost of information security but the benefits as well.
Forrester provides CISOs with a worksheet and process to quantify the value of information security, similar to how you would track profits and losses with an income statement. This financial model will help estimate the value of information assets, using percentage of revenue as a proxy for information security value. It also enables comparing the value of information assets with the costs associated with protecting these assets.
Determining the revenue contribution of your information
“Cash is king” is the old saying. Tracking how information contributes to revenue quarter by quarter will be important to effectively measure the value of information security efforts.
Follow these steps to categorize and quantify the revenue from an information asset:
- Categorize information assets by business area;
- Quantify the revenue that the information assets produce;
- Quantify risk and compliance implications for non-revenue information assets.
Next, determine “fixed costs” and predict “variable costs”, besides characterizing information security costs as both fixed and variable. Costs should be relevant, reliable, and consequential. It’s especially important to review variable costs, because organizations so rarely track them effectively.
Use the following steps to categorize information security costs:
- Quantify fixed operational costs;
- Quantify fixed legal and regulatory costs;
- Estimate direct, variable costs;
- Estimate variable legal and regulatory costs;
- Predict variable operational costs;
- Calculate the variable reputational costs.
Finally, calculate security value as a ratio of protection costs to revenue. Forrester proposes a new measurement of security value that can be expressed by the following formula:
Security costs/revenue = information security value.
Here, security costs are the total costs needed to protect revenue-producing information and information with compliance and risk implications. Revenue is the income, produced by the information assets associated with those security costs. Using this approach will help you think more like a financial officer and manage this ratio down over time, so you can demonstrate focused and efficient use of resources.
Forrester further recommends adapting the income statement and balance sheet to support the planning process in information security by following these steps:
- Determine which information assets make the most money for your company and start there;
- Use the Information Security Value Model to reallocate resources;
- Think like a financial officer.
The interactive spreadsheet, detailing the process, is available online, which can be used to create an information security income or value statement. Forrester provides this for CISOs to help them express security expenses as a percentage of revenue, which more accurately represents the true value of information security and the role information plays in the organization’s value chain.