By Mahmoud Samy, Regional Director, Middle East, Russia and CIS at Arbor Networks
The rise in cyber crime and the escalating importance of IT security for Middle East businesses has been well documented in the media. Today more and more, IT systems are being leveraged to accelerate business growth, which simultaneously escalates the risk they face in the event of a successful attack.
To avoid this, IT departments have had to establish a delicate balance between investing in the latest technology solutions and ensuring that these systems are robust and secure. Often, this requires additional investment in a security product which adds to the overall cost of the implementation.
While IT teams understand the need for a security solution, it is rare for the CFO to be so easily convinced. The role of the CFO is to understand the financial benefit of a project, which is why it is difficult for them to understand why they should invest in security. If the security implementation does not provide a Return on Investment (ROI), then how can one financially justify the project? This is a common question faced by security professionals, who can measure the impact of a security incident, but are challenged when asked to justify the benefit of solutions designed to prevent losses.
Looking beyond ROI
It is important to understand that while not all projects have a positive ROI, it does not mean that there is no benefit. CFOs are concerned with all aspects of the business but focus the most on financial numbers that are related to the business. At a high level, this means revenue, expenses, and profits. ROI is popular since it directly maps to profits, greater gain versus cost, while compliance driven projects are viewed purely as an expense. CFOs are always looking to minimize expenses and improve profitability, which means that they are also looking at expenses that they can eliminate or minimize. Losses and risk of losses are two of those expenses. While it is easy to justify a the need for a security project post-incident, it is always preferable to avoid the incident in the first place.
The complication of making a case for security spending
Making a convincing presentation that appeals to a CFO requires IT professionals to understand the CFO’s mentality. The four major factors that any CFO assesses are Justification, View, Benefits and Issues Addressed. For most projects ROI provides the justification; the project is viewed as an investment; the benefits are quantitative and measurable; and the issues being addressed are long standing. For security investments however, the justification is often compliance; the investment is almost always viewed as a cost; the impact is measurable though the benefit is not; and the issues being addressed are not long standing but rather new and evolving.
Convincing CFOs with ALE
It is sensible to appeal to an individual in terms that they best understand. In the case of the CFO, this means providing convincing numbers. And Annual Loss Expectancy (ALE) is an effective way of doing this. ALE is a financial formula that can help calculate the financial risk that an organization is exposed to, the impact of an incident prior to it occurring, and the frequency of the risk occurring. To calculate ALE, one must first determine two factors pertaining to the particular security threat. These are Annual Rate of Occurance (ARO) and the Single Loss Expectancy (SLE).
The Annual Rate of Occurance is simply the number of times the security incident occurs per year. Take DdoS attacks for example. Arbor Networks’ WISR report found that on average, organizations faced 1-10 attacks per month meaning their ARO could be anything between 12 to 120. Industry reports are a useful tool in determining this figure though utilizing the actual number of threats faced by the specific organization is best.
Single Loss Expectancy (SLE) on the other hand is more tricky as it requires a more thorough analysis of the business and the risk. It can be defined as the amount of loss expected for any single successful attack on the given asset. This cost arises from the expenses that are related to incident response and forensics, customer and IT support, brand repair, legal, theft, penalties and others. Each of these must be assessed and the associated monetary loss calculated.
Once both the Annual Rate of Occurance and the Single Loss Expectancy have been calculated, their product reveals the Annual Loss Expectancy. As a conservative example, consider a business such as an internet services provider that according to the WISR report form Arbor Network faces a least 12 DDoS attacks a year. IDG Research found that the average cost of a DDoS attack outage is $1 million[1]. The ALE for such an organization is a staggering $12 million. When faced with the risk of enduring such an expense or investing in a security solution that cost only a fraction of this amount in order to install and maintain, any CFO would much rather choose the latter.
Finally, while exaggerating risk estimates to draw attention sound like a good idea, the best way to make a solid pitch to a CFO for a security project is to identify the main pain points, be conservative in the analysis, be transparent in numbers and assumptions, compare to alternative options, leverage 3rd party data and research reports, and tie the figures to profits and revenues and expense avoidances. Calculating the ALE for prior successes is also a highly effective and beneficial to the presentation.
Taking all this into account will help IT position itself as a trusted advisor to the CFO making. Once this is been achieved, IT departments will finally be able to secure the funding that is so essential to protecting their organizations against the ever growing threats and risks
