What’s The ROI On Security?

What’s The ROI On Security?

Equifax, HBO, Sony, Home Depot, Target…the list goes on. What do these companies have in common?

I am pretty certain you guessed the answer to this question. Yes, they have all suffered massive data breaches. How is this possible? Ask any security professional and they will be quick to explain how these companies failed to secure a database, patch a system, control access to a resource and a plethora of other seemingly basic security best practices.

This leads me to a host of other questions. Do these multibillion dollar companies not have any capable security professionals at the helm of affairs? Could it be that these companies lack the financial power to implement these solutions? Or is it just a case of neglect and reckless abandon? Actually, the question I should be asking is whether these companies understand the true return on security investments.

Ask any finance professional to justify investments made in human resources, advanced business enhancement technologies, office space and equipment among others, and they will be able to draw a direct correlation between these investments and revenue. However, in most cases, the same cannot be said about security investments. The ROI on patching a server, implementing appropriate data security procedures and controlling access to systems, can hardly be explained, without truly understanding the current landscape businesses operate in, and the true reason for any security control.

This is, in my opinion, where the true lapse in security can be found. Why should a business spend millions of dollars implementing an access management control which does not, at surface value, add anything to the bottom line? It’s just not logical under such conditions to make the investment. For most businesses, the possibility of a data breach is more of a probability rather than certainty. It’s not if, it is when if not already. If businesses understood that the true cost of using technology to facilitate and grow profits is the cost of securing such technologies, then maybe, they will see the bigger picture. If businesses only knew how prone they are to becoming another “target”, then maybe, the security budget will be looked at as a strategic revenue producing and protection investment, rather than a wasteful expense.

With the security landscape becoming more complex each second, it is the duty of security professionals to adequately convey the true business implications of security. Only then, can businesses be able to make strategic investments to protect stakeholders and customer interests.


The following thoughts, intentions, strategies and/or solutions are those of the blog authors and do not represent the position of anyone other than the authors.