Security is not typically considered a revenue generator in most technology environments, and as such it is much like day-to-day operations – components of technology that must exist and something to be managed or reduced whenever possible. Investing in security can therefore be a hard sell to make to the Chief Financial Officer (CFO). How much security is enough? How do we really determine return on investment (ROI) of security, which has to be based on an estimate of the cost of bad things that might have happened without it.
The fact is most environments have slim margins for expendable investments. Proposals in the tens of thousands of dollars in the realm of network security can get an icy response. Preparing for that response can be an important strategic exercise.
Fortunately, security expenditures can have a very compelling case in a majority of instances. For example, many security offerings enforce compliance. These may be more secure VPNs or cloud technologies, or automation of required procedures that typically not accounted for in ROI, making them more feasible. Examples abound.
The reception of enhanced security in many cases offers in parallel to a number of functional improvements. Often security investments are driven by compliance mandates. In healthcare, a typical and ongoing resolve to get to the standard known as “meaningful use” baseline that centralizes medical records is introducing better security by coincidence. In many cases it is by architecture, hardware, software, and standards making these things come to reality. The untold savings in paper, paper document processing, storage, basically electronic data is a preliminary resource savings vector that is easily identified.
The return on investment in those cases is obvious, but it can go much deeper. Take another large healthcare behemoth, HIPAA, for example. Many of the directives within the compliance rules address security elements that necessitate better security and by proxy better functionality to the organization overall. Then you uncover the ROI elements. Some studies had shown that prior to HIPAA standards as much as 30% of healthcare costs had to do with paperwork, much of it redundant. With meaningful use compliance the notion of a centralized medical record for an individual person is not only directed by heightened security one would expect but is also enabling technology, saving much redundancy even one level further and offering a direct benefit to the patients in the end. Talk about ROI!
There are countless elements in these examples that are below the surface. Calls saved, faxes saved, power saved, the reduction of faulty erroneous paperwork, time saved, and much more all drive to a better and better ROI picture the more you peel off the layers. Now just imagine these examples extending into the various current state technologies such as cloud services, presentation technology for mobile devices, Web apps, smartphone apps, remote work technologies, and so on – all of these technologies require a security element. Before even thinking of deploying these technologies officially, security is a huge consideration.
Action Item: Enhanced security and unleashing users in your environment, along with ROI perspectives, are all critical elements in the equation of the security investment proposition. So the next time spending on security comes up, it is important to orient the conversation much more than in times past towards ROI and the potential enabling of users, customers, and company alike. CFOs and other leadership needs to know that investment in modern security improvements reflect not only the required compliance they aim to satisfy but they enable and tie into a number of technology goals, therefore building a strong case on value in reducing the cost to business and untold ROI perspective. Significant savings and technology enablement form the bottom line and largely benefit the organization beyond OPEX figures.
Footnotes: